Significance of events

Event filtering

Event detection

Once an Event notification has been generated, it will be detected by an agent running on the same system, or transmitted directly to a management tool specifically designed to read and interpret the meaning of the event.

The purpose of filtering is to decide whether to communicate the event to a management tool or to ignore it. If ignored, the event will usually be recorded in a log file on the device, but no further action will be taken.

The reason for filtering is that it is not always possible to turn Event notification off, even though a decision has been made that it is not necessary to generate that type of event. It may also be decided that only the first in a series of repeated Event notifications will be transmitted.

During the filtering step, the first level of correlation is performed, i.e. the determination of whether the event is informational, a warning, or an exception (see next step). This correlation is usually done by an agent that resides on the CI or on a server to which the CI is connected.

The filtering step is not always necessary. For some CIs, every event is significant and moves directly into a management tool’s correlation engine, even if it is duplicated. Also, it may have been possible to turn off all unwanted Event notifications.

Every organization will have its own categorization of the significance of an event, but it is suggested that at least these three broad categories be represented:

• Informational: This refers to an event that does not require any action and does not represent an exception. They are typically stored in the system or service log files and kept for a predetermined period. Informational event s are typically used to check on the status of a device or service, or to confirm the successful completion of an activity. Informational event s can also be used to generate statistics (such as the number of user s logged on to an application during a certain period) and as input into investigations (such as which jobs completed successfully before the transaction processing queue hung). Examples of informational event s include:
• A user logs onto an application
• A job in the batch queue completes successfully
• A device has come online
• A transaction is completed successfully.
• Warning: A warning is an event that is generated when a service or device is approaching a threshold. Warnings are intended to notify the appropriate person, process or tool so that the situation can be checked and the appropriate action taken to pr event an exception. Warnings are not typically raised for a device failure. Although there is some debate about whether the failure of a redundant device is a warning or an exception (since the service is still available). A good rule is that every failure should be treated as an exception, since the risk of an incident impacting the business is much greater. Examples of warnings are:
• Memory utilization on a server is currently at 65% and increasing. If it reaches 75%, response time s will be unacceptably long and the OLA for that department will be breached.
• The collision rate on a network has increased by 15% over the past hour.
• Exception: An exception means that a service or device is currently operating abnormally (however that has been defined). Typically, this means that an OLA and SLA have been breached and the business is being impacted. Exceptions could represent a total failure, impaired functionality or degraded performance. Please note, though, that an exception does not always represent an incident. For example, an exception could be generated when an unauthorized device is discovered on the network. This can be managed by using either an Incident Record or a Request for Change (or even both), depending on the organization ’s Incident and Change Management policies. Examples of exceptions include:
• A server is down
• Response time of a standard transaction across the network has slowed to more than 15 seconds
• More than 150 user s have logged on to the General Ledger application concurrently
• A segment of the network is not responding to routine requests.

Дата добавления: 2014-12-23; Просмотров: 439; Нарушение авторских прав?; Мы поможем в написании вашей работы!