Versions Compared

Old Version 10

changes.mady.by.user Igor Shakhbazyan

Saved on

compared with

New Version 11

changes.mady.by.user Igor Shakhbazyan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The event correlation engine allows configuring the system behavior rules depending on the event type (for example, whether or not to create an incident Incident if an Exception event has been thrown).

The rules listed below are provisional and can be configured in line with your business tasks and objectives.

Exception Events

Exception events are the highest priority ones from this list. An example of the exception event can be a server or any other crucial service unavailability.

The processing of exception events using events correlation engine is listed below (we will use the example with the server):

  1. Active monitoring system The AMS throws an alert "server is unreachable";
  2. On SimpleOne instance, in accordance with the settings specified, the Exception event was created, identical to the alert and having Active status;
  3. The Debounce engine has started to work, and the specified period should pass before any actions can be undertaken (for example, three minutes).
  4. Checking the status of the event associated with this alert (the monitoring system updates alert states, and the event statuses synchronize with them):
    1. If the event status is still Active - raise the Incident immediately;
    2. If the event status has changed to Inactive, then the Incident will not be raised.

...

The processing of warning events using events correlation engine is listed below (we will use the example with the disk space):

  1. Active monitoring system throws The AMS throws an alert looking alike "disk space is running out, X Mb left".
  2. On SimpleOne instance, in accordance with the settings specified, the Warning event was created, identical to the alert and having Active status;
  3. As opposed to the Exception events, we do not launch the Debounce engine and do not start a countdown. In accordance with the settings specified, to launch the Debounce engine, there must be two active Warning events for this alert.
  4. If the second Warning event was received, then the Debounce engine launches and the specified period should pass before any actions can be undertaken.
  5. Checking the status of the events associated with this alert (the monitoring system updates alert statuses, and the event statuses synchronize with them):
    1. If all the events are still Active - raise the Incident immediately;
    2. If at least one event is Inactive, then the Incident will not be raised.

...

The processing of information events using events correlation engine is listed below (we will use the example with the logins):

  1. The AMS throws an alert looking alike "John Doe tries to log in ten times per minute".
  2. Event Monitoring module collects ten login events of the same user per minute.
  3. After that, it raises an incident about suspicious activity. In this case, the Debounce engine is not used.