Nice meeting you tonight, Chuck, and THANKS for the redhat cd's... sec was the freeware event correlation tool I spoke of tonight: It is a straightforward perl script and doesn't implement a full state machine, but it nevertheless provides some inklings of what more complciated event correlators do. Check it at http://kodu.neti.ee/~risto/sec/ The best commercial event corellation tools IMHO are Nervecenter, Taave, Smarts, and Netcool. Each has its niche where it's best in class, and there are others, like HP's ECS, Logec, G2, etc. My friend Doug Stevenson is a specialist in event correlation and wrote the Maji spec: the open source event correlation engine being developed under the umbrella of OpenNMS (yeah, so, it'll be java - but it will also be very feature rich). He masterfully defines some of the layers of granularity that one might see amongst the different offerings in the Event Correlation space. Types we talked about tonight include event correlation (reducing traps) and device correlation (mapping switch states to events). His definitions are listed below... Mike <snipped message> OK... Here goes... § Event Correlation § Alarm Correlation § Device Correlation § System Correlation § Service Correlation § Performance Correlation § Security Correlation Event Correlation - This is a correlation where multiple events are filtered and processed, thereby reducing the number of events presented. This is primarily done with event tally counts and trap problem verification. Alarm Correlation - This is a correlation of alarms and alerts depicting true problems or root causes and their current status. Side effect alarms or alarms occurring as a result of a root cause alarm are suppressed or become subordinate to the root cause alarm. Device Correlation - This is a correlation of devices, their specific internal components (both hardware and software), and the device's behavior with other devices. Additionally, device correlation lends itself toward configuration management as it is a dynamic inventory of devices, subsystems, components, and behaviors. System Correlation - This is a correlation of devices and managed objects as they pertain to an overall system. This level of correlation enables one to manage and classify a conglomeration of managed objects as a manageable entity. Service Correlation - This correlation is used to determine the devices and systems that make up an IT service. In essence, this is the correlation of managed objects and systems to business rules; similar to a translation of terms from computers and systems to business services. The Service Correlation can be extended to customer impact analysis, business profitability impact analysis, etc. Performance Correlation - This correlation is used to determine the effects performance has with regards to a fault. It is unique in that performance correlation can be applied to enhance the correlation of all of the other categories. Security Correlation - This correlation is used to determine the degree of threats caused by security incidents. It is unique in that security correlation is embedded among all the other six categories described above. HTH, Doug...