How to use Event Forwarding to send "incidents" to another Symantec Security Information Manager (SSIM) Server


Article ID: 177554


Updated On:


Security Information Manager


You want to send events to be correlated from one SSIM server to another SSIM Server without using Service Provider mode.



There is no option to only send incidents, what you need to do is send all the events again to be correlated again. This setup is generally used when you only have 2 appliances:

one collecting/archiving and the other correlating only


one correlating/archive/collection and one as a backup correlating only. (archive being written to external storage.)


If you are not using Service provider mode, the following needs to be done to do send events to be correlated again as incident from one SSIM Server to another:

Go to System tile -> Appliance Configurations
Expand the SSIM Server you want to forward incidents from.
Go to Event Forwarding Rules -> Create a new Event Forwarding rule.
In the new rule properties, enter the following:
· Rule Name
· The hostname or IP address of the SSIM server the incidents will be sent to
· Select the service to forward to, use ‘Correlation Service’, which uses port 10010.


Technical Information
If you want to forward incidents in a Service provider mode go to


In version SSIM 4.7.1 a new option was added to use an internal Service Provider mode. This would now be a more recommended setup, the configuration above should be used for SSIM 4.6 only.