Event Correlation
The
correlation of events provides a monitoring solution of consecutive events expected over a period of time. The appearance or absence of the sequence of the expected events allows you to alert an administrator of a malfunction.
It is common in event monitoring solution to trigger action after a certain period of time. This delay can be used to wait for another event that would cancel the first one .
The correlation in this way can apply to all events which operate in pairs with an alarm and an event of acquittal of the alarm.
In the case of
SNMP Trap it will be necessary to create an event for each LoriotPro Trap (Use filters TRAP) if you want to use the module (plugin) correlation.
The most frequently encountered or the correlation Trap is justified is the network interfaces that can be temporarily out of service (sending a Trap Link down) followed within seconds of a return to normal "link up ". The correlation here allows to monitor the time interval between
LinkDown and
Link Up and inform the administrator in case of no return in the UP state within a predefined delay.
A new
LoriotPro service Plugin (
Pending Events Correlator) associated with event filters or a command line program can be used to correlate successive events.
The plugin (Pending Events Correlator) must be loaded into the mechanism for the correlation.
Principle of operation
To make the correlation of event, we must define two filters events.
The filter on the event X must be met first and must be correlated with the filter associated with the event Y.
In brief, the event must pay Y Event X in a period of time or an event Z is generated.
To explain the principle of using this plugin will be used to a simple and classic.
A host goes into state "down" (he does more polling LoriotPro) but we want to give it time to return "up" (the host meets again in polling). If it does not back "up" in a given time then generates an event to prevent the network administrator.
LoriotPro sends a message referenced 101 when host goes down (level 4)
And a message 100 when the host goes up (level 1 or 2)
This option is configured with the modulePoller Process.
The parameters of the polling for a host are defined in the module property of the host.
The host will be down after 4 nonresponse (4 * 5) = 20 s "approximately" 101 and an event will be issued with the parameters of the host concerned.
To make the correlation of event, we must define two filters events.
The filter on the event X must be met first and must be correlated with the filter associated with the event Y.
In brief, the event must pay Y Event X in a period of time or an event Z is generated.
It is possible to define a filter on the reception of the event 101, which will carry out a memory of the event.
101 The message follows:
<4> Session ip [12.1.1.250] Router1603 is not longer responding to LoriotPro Polling (old status 3)
It indicates that the host 12.1.1.250 does more (down) and that its former status was 3.
The wizard proposes a new filter event.
101 The message follows:
Choose the option in the Action Type "Send to correlator Plugin"
The window appears:
Option |
Description |
Send Event |
|
At Level |
The level of severity of the event previously set (0-9) |
if not correlated after |
waiting time in seconds before sending a new message with the numero_event level and containing the message. |
Use reference |
a reference (any number but only) to identify the event in the correlator |
For ip |
the IP address concerned by this event, the variable here is used % I |
With mask |
the mask of the IP address |
Comments |
the message accompanying the broadcast of the event here on reusing the original message% m% 3% 3 the message must be supervised by 3message% 3% if it contains white. It must not contain characters ". |
We choose the option Match All.
Exit now the creation of the filter. Check the filters in your filter exists.
Now when a message arrives 101 for this host there is a file stored in the bin directory / events.
The correlation plugin (Pending Events Correlator) scans at regular intervals this folder and execute the action if the planned events is not paid (correlation) in time.
Example event in line treatment (Queue) awaiting correlation.
20 seconds, in our example, after receiving the event 101, an event 100,250 level 4 will be issued if the event 100, filter correlation is not received. By default the plugin (Pending Events Correlator) scans the directory all 20secondes but it is possible to change this setting (minimum 5s).
The message will be filtered 100,250 in turn LoriotPro and carry out a warning to the network administrator
Create Filter Event Y (Acquitted - Event type "up")
It is then necessary to define a filter (reception of the event 100 in our example) that will allow the module plugin (Pending Events Correlator) to achieve the acquittal of the event 101 treaty previously.
The event 100 is used for different types of passes in a host of state should be up to analyze the variable of the event.
100 the following message:
<1> session 12.1.1.250 router-1603-cisco responding to polling LoriotPro (old status 1)
Indicates that the host was already 12.1.1.250 UP but has an ICMP (1) only. This message does not interest us.
We are only interested in a message 100 with the following information:
<1> session 82.250.213.11 Linksys WAG54G responding to polling LoriotPro snmp (old status 4)
Our filter will be more complex
It incorporates a search on the string (strings) (old status 4) to be sure that it's a way of passing down to a healthier way up.
The wizard proposes a new filter event.
Select the acquittal of event (Ack Correlated Event) in the Action Type
The configuration window of the correlation is displayed.
Fill in the parameters
Ack event filter reference |
The reference of the event to pay and defined in the previous filter
|
IP |
the IP address concerned by this event, the variable here is used% I
|
Mask |
the mask of the IP address
|
Numero_event |
A number of events generated if the incident filtered (to link) is not paid within the allotted time (seconds)
|
Level |
the level of return message (0-9)
|
Message |
the message accompanying the broadcast of the event here reuses the original message% m% 3% 3 the message must be supervised by 3message% 3% if it contains white. It must not contain character ".
|
For advanced filter
Select the option "Match all" for all the events of this type.
Exit now the creation of the filter. Check the filters in your filter exists.
On receipt of this event a file of type ack is created in the bin / events
If the event of acquittal arrive before the deadline for payment is expired then the plug correlation does not send the message and deletes 60,000 files.
We may want to delay action on the event "host down" in a comprehensive manner to prevent the flow of messages "host goes down if a power line with a quick recovery.
Example filter down to 101 for a set of machines (in our case all)
Example filter down to 100 for a set of machines
The files will be generated by custom IP address. In this case because we use variable as the IP address of host in default.
Option command line for the call program
Select the program _EventToFile.exe in the bin directory LoriotPro.
We use the following syntax:
_EvenToFile Time numero ip mask numero_event level 3message% 3%
If we want to send an event on an acquittal ack "who arrives too late syntax is as follows:
_EventToFile Ack number ip mask numero_event level 3message% 3%
ack |
ack the word (for differential syntax associated with an event-type down) |
Numéro |
a reference to identify the event saved |
IP |
the IP address concerned by this event, the variable here is used% I |
Mask |
le
mask de l’adresse IP |
Numero_event |
the event number used to send an event if the event is not paid within (time) second |
Level |
the level of return message (0-9) |
Message |
the message accompanying the broadcast of the event here reuses the original message% m% 3% 3 the message must be supervised by 3message% 3% if it contains white. It must not contain character ". |
There is no real link between the file generated "down" and the file generated "up" (Other references time - time stamp) if several file types comes down during down time + for a file may be canceled up to a file down is not his. That is why the system does well as mechanisms down / up and time settings consistent. Filters should be as specific as possible.