22:
236:(SIEM), and event correlation is often performed in a separate correlation engine. That engine may directly receive events in real time, or it may read them from SIEM storage. In this case, examples of monitored events include activity such as authentication, access to services and data, and output from point security tools such as an
356:
methods. For example, the aggregate may provide statistical summaries of the underlying events and the resources that are affected by those events. Another example is temporal aggregation, when the same problem is reported over and over again by the event source, until the problem is finally solved.
396:
is the last and most complex step of event correlation. It consists of analyzing dependencies between events, based for instance on a model of the environment and dependency graphs, to detect whether some events can be explained by others. For example, if database D runs on server S and this server
339:
consists in discarding events that are deemed to be irrelevant by the event correlator. For instance, a number of bottom-of-the-range devices are difficult to configure and occasionally send events of no interest to the management platform (e.g., printer P needs A4 paper in tray 1). Another example
363:
is a special type of event aggregation that consists in merging exact duplicates of the same event. Such duplicates may be caused by network instability (e.g., the same event is sent twice by the event source because the first instance was not acknowledged sufficiently quickly, but both instances
351:
is a technique where multiple events that are very similar (but not necessarily identical) are combined into an aggregate that represents the underlying event data. Its main objective is to summarize a collection of input events into a smaller collection that can be processed using various
292:
The event correlator plays a key role in integrated management, for only within it do events from many disparate sources come together and allow for comparison across sources. For instance, this is where the failure of a service can be ascribed to a specific failure in the underlying
327:
Event correlation can be decomposed into four steps: event filtering, event aggregation, event masking and root cause analysis. A fifth step (action triggering) is often associated with event correlation and therefore briefly mentioned here.
289:, etc. Each event captures something special (from the event source standpoint) that happened in the domain of interest to the event correlator, which will vary depending upon the type of analysis the correlator is attempting to perform.
405:
At this stage, the event correlator is left with at most a handful of events that need to be acted upon. Strictly speaking, event correlation ends here. However, by language abuse, the event correlators found on the market (e.g., in
89:
is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events.
260:
is to integrate the management of networks (data, telephone and multimedia), systems (servers, databases and applications) and IT services in a coherent manner. The scope of this discipline notably includes
308:
to keep updated with the latest news. In theory, the integration of management in organizations requires the communication between the event correlator and the trouble ticket system to work both ways.
315:), but not necessarily. It may also report that a situation goes back to normal, or simply send some information that it deems relevant (e.g., policy P has been updated on device D). The
383:) consists of ignoring events pertaining to systems that are downstream of a failed system. For example, servers that are downstream of a crashed router will fail availability polling.
397:
gets durably overloaded (CPU used at 100% for a long time), the event “the SLA for database D is no longer fulfilled” can be explained by the event “Server S is durably overloaded”.
51:
319:
of the event is an indication given by the event source to the event destination of the priority that this event should be given while being processed.
233:
137:
560:
479:
410:) sometimes also include problem-solving capabilities. For instance, they may trigger corrective actions or further investigations automatically.
427:
is larger than that of integrated management. However, event correlation in ITIL is quite similar to event correlation in integrated management.
430:
In the ITIL version 2 framework, event correlation spans three processes: Incident
Management, Problem Management and Service Level Management.
304:. However, only some of them are able to notify trouble ticket systems when a problem is solved, which partly explains the difficulty for
281:
Event correlation usually takes place inside one or several management platforms. It is implemented by a piece of software known as the
73:
578:
M. Hasan, B. Sugla and R. Viswanathan, "A Conceptual
Framework for Network Management Event Correlation and Filtering Systems", in
285:. This component is automatically fed with events originating from managed elements (applications, devices), monitoring tools, the
433:
In the ITIL version 3 framework, event correlation takes place in the Event
Management process. The event correlator is called a
340:
is the filtering of informational or debugging events by an event correlator that is only interested in availability and faults.
144:
446:
129:
614:
J.P. Martin-Flatin, G. Jakobson and L. Lewis, "Event
Correlation in Integrated Management: Lessons Learned and Outlook”,
214:, an event may for instance report that the CPU utilization of an e-business server has been at 100% for over 15 minutes.
490:
468:
148:
34:
651:
646:
44:
38:
30:
530:
237:
200:
656:
515:
204:
55:
520:
500:
457:
270:
218:
207:(NMS). For example, events may notify that a device has just rebooted or that a network link is currently down.
173:
133:
510:
222:
311:
An event may convey an alarm or report an incident (which explains why event correlation used to be called
248:
In this article, we focus on event correlation in integrated management and provide links to other fields.
505:
180:
540:
535:
301:
286:
125:
607:
S. Kliger, S. Yemini, Y. Yemini, D. Ohsie and S. Stolfo, "A Coding
Approach to Event Correlation", in
555:
392:
305:
229:
184:
566:
545:
407:
380:
266:
262:
241:
211:
196:
165:
118:
114:
107:
103:
294:
169:
525:
495:
609:
Proc. 4th IEEE/IFIP International
Symposium on Integrated Network Management (ISINM 1995)
631:
191:
Event correlation takes place in different components depending on the field of study:
640:
621:
M. Sloman (Ed.), "Network and
Distributed Systems Management", Addison-Wesley, 1994.
199:, event correlation is performed in a management platform typically known as a
353:
297:, or where the root cause of a potential security attack can be identified.
160:
Integrated management is traditionally subdivided into various fields:
588:
International
Symposium on Integrated Network Management (IM 1999)
98:
Event correlation has been used in various fields for many years:
585:
581:
550:
424:
15:
600:G. Jakobson and M. Weissman, "Alarm Correlation",
232:, the management platform is usually known as the
463:Event correlation in business activity monitoring
632:Softpanorama event correlation technologies page
611:, Santa Barbara, CA, USA, May 1995, pp. 266–277.
43:but its sources remain unclear because it lacks
474:Event correlation in industrial process control
300:Most event correlators can receive events from
441:Event correlation in publish-subscribe systems
452:Event correlation in complex event processing
225:is not met for a given customer, for example.
8:
604:, Vol. 7, No. 6, pp. 52–59, November 1993.
595:Integrated Management of Networked Systems
252:Event correlation in integrated management
616:Journal of Network and Systems Management
590:, Boston, MA, USA, May 1999, pp. 233–246.
364:eventually reach the event destination).
234:Security Information and Event Management
138:Security Information and Event Management
74:Learn how and when to remove this message
593:H.G. Hegering, S. Abeck and B. Neumair,
561:Supervisory control and data acquisition
480:Supervisory control and data acquisition
7:
14:
414:Event correlation in other fields
618:, Vol. 17, No. 4, December 2007.
156:Examples and application domains
20:
145:Distributed Event-Based Systems
1:
221:, an event may notify that a
491:Business activity monitoring
469:Business activity monitoring
149:Business Activity Monitoring
277:Events and event correlator
673:
477:
466:
455:
444:
323:Step-by-step decomposition
238:Intrusion Detection System
201:Network Management Station
108:industrial process control
516:Event-driven architecture
447:Publish–subscribe pattern
419:Event correlation in ITIL
205:Network Management System
130:publish-subscribe systems
597:, Morgan Kaufmann, 1998.
521:Event-driven programming
501:Complex event processing
458:Complex event processing
271:Service-Level Management
179:by management function:
134:Complex Event Processing
29:This article includes a
511:Event stream processing
223:Service-Level Objective
143:since the early 2000s,
58:more precise citations.
302:trouble ticket systems
181:performance management
541:IT service management
536:Issue tracking system
287:Trouble Ticket System
258:integrated management
126:IT service management
361:Event de-duplication
228:Within the field of
217:Within the field of
210:Within the field of
195:Within the field of
556:Root cause analysis
531:Incident management
393:Root cause analysis
387:Root cause analysis
377:topological masking
230:security management
185:security management
652:Evaluation methods
647:Events (computing)
567:Systems management
551:Problem management
546:Network management
435:correlation engine
408:network management
381:network management
267:systems management
263:network management
242:antivirus software
219:service management
212:systems management
197:network management
174:service management
166:network management
119:systems management
115:network management
104:telecommunications
31:list of references
401:Action triggering
349:Event aggregation
344:Event aggregation
313:alarm correlation
295:IT infrastructure
170:system management
124:since the 1990s,
113:since the 1980s,
102:since the 1970s,
87:Event correlation
84:
83:
76:
664:
657:Causal inference
526:Event-driven SOA
496:Causal reasoning
283:event correlator
164:layer by layer:
79:
72:
68:
65:
59:
54:this article by
45:inline citations
24:
23:
16:
672:
671:
667:
666:
665:
663:
662:
661:
637:
636:
628:
575:
487:
482:
476:
471:
465:
460:
454:
449:
443:
421:
416:
403:
389:
375:(also known as
370:
346:
337:Event filtering
334:
332:Event filtering
325:
279:
254:
158:
96:
80:
69:
63:
60:
49:
35:related reading
25:
21:
12:
11:
5:
670:
668:
660:
659:
654:
649:
639:
638:
635:
634:
627:
626:External links
624:
623:
622:
619:
612:
605:
598:
591:
574:
571:
570:
569:
564:
558:
553:
548:
543:
538:
533:
528:
523:
518:
513:
508:
503:
498:
493:
486:
483:
478:Main article:
475:
472:
467:Main article:
464:
461:
456:Main article:
453:
450:
445:Main article:
442:
439:
420:
417:
415:
412:
402:
399:
388:
385:
369:
366:
345:
342:
333:
330:
324:
321:
278:
275:
253:
250:
246:
245:
226:
215:
208:
189:
188:
177:
157:
154:
153:
152:
141:
122:
111:
95:
92:
82:
81:
64:September 2017
39:external links
28:
26:
19:
13:
10:
9:
6:
4:
3:
2:
669:
658:
655:
653:
650:
648:
645:
644:
642:
633:
630:
629:
625:
620:
617:
613:
610:
606:
603:
599:
596:
592:
589:
587:
583:
577:
576:
572:
568:
565:
562:
559:
557:
554:
552:
549:
547:
544:
542:
539:
537:
534:
532:
529:
527:
524:
522:
519:
517:
514:
512:
509:
507:
504:
502:
499:
497:
494:
492:
489:
488:
484:
481:
473:
470:
462:
459:
451:
448:
440:
438:
436:
431:
428:
426:
423:The scope of
418:
413:
411:
409:
400:
398:
395:
394:
386:
384:
382:
378:
374:
373:Event masking
368:Event masking
367:
365:
362:
358:
355:
350:
343:
341:
338:
331:
329:
322:
320:
318:
314:
309:
307:
306:Service Desks
303:
298:
296:
290:
288:
284:
276:
274:
272:
268:
264:
259:
251:
249:
243:
239:
235:
231:
227:
224:
220:
216:
213:
209:
206:
202:
198:
194:
193:
192:
186:
182:
178:
175:
171:
167:
163:
162:
161:
155:
150:
146:
142:
139:
135:
131:
127:
123:
120:
116:
112:
109:
105:
101:
100:
99:
93:
91:
88:
78:
75:
67:
57:
53:
47:
46:
40:
36:
32:
27:
18:
17:
615:
608:
602:IEEE Network
601:
594:
579:
434:
432:
429:
422:
404:
391:
390:
376:
372:
371:
360:
359:
348:
347:
336:
335:
326:
316:
312:
310:
299:
291:
282:
280:
257:
256:The goal of
255:
247:
190:
159:
97:
86:
85:
70:
61:
50:Please help
42:
132:(pub/sub),
56:introducing
641:Categories
580:Proc. 6th
573:References
136:(CEP) and
506:ECA rules
354:analytics
240:(IDS) or
485:See also
317:severity
563:(SCADA)
140:(SIEM);
94:History
52:improve
187:, etc.
176:, etc.
151:(BAM).
37:, or
586:IEEE
582:IFIP
425:ITIL
269:and
147:and
117:and
106:and
379:in
203:or
643::
437:.
273:.
265:,
183:,
172:,
168:,
128:,
41:,
33:,
584:/
244:.
121:;
110:;
77:)
71:(
66:)
62:(
48:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.