Whoops, didn't mean to send to the entire list - I guess I had too many mini
oreo cookies last night...
----- Original Message -----
From: Mike Peckar <ov(a)fognet.com>
Sent: Thursday, October 11, 2001 11:27 PM
Subject: [Wlug] more on event correlation...
Nice meeting you tonight, Chuck, and THANKS for the
sec was the freeware event correlation tool I spoke of tonight: It is a
straightforward perl script and doesn't implement a full state machine,
it nevertheless provides some inklings of what more
correlators do. Check it at http://kodu.neti.ee/~risto/sec/
The best commercial event corellation tools IMHO are Nervecenter, Taave,
Smarts, and Netcool. Each has its niche where it's best in class, and
there are others, like HP's ECS, Logec, G2, etc.
My friend Doug Stevenson is a specialist in event correlation and wrote
Maji spec: the open source event correlation engine
being developed under
the umbrella of OpenNMS (yeah, so, it'll be java - but it will also be
feature rich). He masterfully defines some of the
layers of granularity
one might see amongst the different offerings in the
space. Types we talked about tonight include event correlation (reducing
traps) and device correlation (mapping switch states to events). His
definitions are listed below...
§ Event Correlation
§ Alarm Correlation
§ Device Correlation
§ System Correlation
§ Service Correlation
§ Performance Correlation
§ Security Correlation
Event Correlation - This is a correlation where multiple events are
and processed, thereby reducing the number of events
presented. This is
primarily done with event tally counts and trap problem verification.
Alarm Correlation - This is a correlation of alarms and alerts depicting
true problems or root causes and their current status. Side effect alarms
alarms occurring as a result of a root cause alarm are
subordinate to the root cause alarm.
Device Correlation - This is a correlation of devices, their specific
internal components (both hardware and software), and the device's
with other devices. Additionally, device correlation
lends itself toward
configuration management as it is a dynamic inventory of devices,
subsystems, components, and behaviors.
System Correlation - This is a correlation of devices and managed objects
they pertain to an overall system. This level of
correlation enables one
manage and classify a conglomeration of managed
objects as a manageable
Service Correlation - This correlation is used to determine the devices
systems that make up an IT service. In essence, this
is the correlation of
managed objects and systems to business rules; similar to a translation of
terms from computers and systems to business services. The Service
Correlation can be extended to customer impact analysis, business
profitability impact analysis, etc.
Performance Correlation - This correlation is used to determine the
performance has with regards to a fault. It is unique
in that performance
correlation can be applied to enhance the correlation of all of the other
Security Correlation - This correlation is used to determine the degree of
threats caused by security incidents. It is unique in that security
correlation is embedded among all the other six categories described
Wlug mailing list