Automatic Instantiation of Rules for Event Correlation (16-Sep-2009)
Disclosed is a method by which event correlation rules can be specified in a generic manner but still be used to track specific rule element instances constrained by their attribute values and types. If rules are specified in this manner, then it is not an issue when rule elements are of different formats or value ranges. An automatic semantic alignment mechanism is proposed to take out the burden from rule writers to make sure their correlation elements are compatible with each other.
Automatic Instantiation of Rules for Event Correlation
In many management solutions, being in IT or Business Process Management, the tracking of a specific element, being an IT device or business artifact (e.g., an order, a product item, a customer) is an important piece of the monitoring capability. In most cases, it is not desirable to check for heartbeat events independent of their hostname, or for the start and completion of a business process independent of the product item that is going through the process. This type of tracking should happen in the context of each one of these elements separately.
Rule-based event correlation techniques are usually applied to these situations, but they can become cumbersome when thousands of resources must be tracked. It is not feasible then to explicitly create a rule to track each specific correlation element (e.g., a hostname or order identifier). This problem is further complicated by the fact that when
a large number of elements are being managed/monitored, their correlation elements may not always be represented in the same format, or may not be represented by the same value ranges. For example, a hostname attribute may be represented as a fully qualified hostname such as aixnm01.raleigh.ibm.com, or it may be represented by this machine's IP address, such as 9.172.18.101. Semantically these two values are equivalent, but in order for them to correlate additional rules are needed that link these two values. In an environment with hundreds of thousands of correlation elements there will be need of a large number of rules to deal with the situation, and these rules need to be created by a human element and maintained. This disclosure eliminates the need for human creation and maintenance of such rules.
The main idea proposed in this disclosure is that for each given event correlation rule, a grouping key is specified to identify - in the potential events matched by the rule - which attributes, combination of attributes, or computation of attributes can be used to group the matched events into different rule instances. These rule instances are then created automatically and dynamically as new events arrive.
In addition, each grouping key also specifies baseline semantic information that describes the elements being correlated. Each event that enters the correlation engine now has to align its attributes to the same semantic baseline of the grouping key- A helper component that works in tandem with the correlation engine handles this job, and then passes the information to be correlated as usual, and the grouping key then automatically spawns a new dynamic rule. In this case our earlier example of a machine's events identified by either fully qualified names or IP-addresses would be successfully grouped and correlated.
The mechanism should be implemented as two companion modules/components that work alongside existing correlation engines. The first m...
Find More Documents Like This
Download this Disclosure
Click here if you want to sign-in now.
