System and method for correlating events in a pluggable correlation architecture

US 20090265288A1
Filed: 04/17/2008
Published: 10/22/2009
Est. Priority Date: 04/17/2008
Status: Active Grant

First Claim

Patent Images

1. A method for correlating events in a pluggable event correlation system, comprising:

receiving an event stream that includes a plurality of events, wherein each event in the event stream originates from one of a plurality of event sources;

enriching the events in the event stream by associating the events with classification information;

providing the enriched events to a plurality of input adapters respectively associated with a plurality of correlation engines, wherein each of the input adapters convert the enriched events into a format that the associated correlation engine uses to evaluate events against a plurality of rules;

receiving an output from one or more of the plurality of correlation engines, the output generated by the one or more of the plurality of correlation engines upon determining that one or more of the evaluated events have triggered one or more of the plurality of rules, wherein one or more output adapters respectively associated with the one or more of the plurality of correlation engines convert the output into a correlated event; and

executing an action associated with the correlated event to remediate a condition associated with the events that triggered the one or more of the plurality of rules.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for pluggable event correlation may include an input manager that receives a plurality of events and converts the events into a format compatible with one or more of a plurality of correlation engines. The correlation engines may then evaluate the converted events using various rules and generate correlated events when the evaluated events trigger at least one of the rules. An action manager may execute remedial actions when the correlation engines generate the correlated events. Moreover, extensibility may be provided by enabling a user to define rules to be triggered when events occur in a predetermined pattern, and actions to be executed when a predetermined rule triggers a correlated event. Further, to plug a new correlation engine into the system, adapters may be deployed to handle input and output, while the user-defined rules may be validating according to semantic requirements of the new correlation engine.

Citations

7 Claims

1. A method for correlating events in a pluggable event correlation system, comprising:
- receiving an event stream that includes a plurality of events, wherein each event in the event stream originates from one of a plurality of event sources;
  
  enriching the events in the event stream by associating the events with classification information;
  
  providing the enriched events to a plurality of input adapters respectively associated with a plurality of correlation engines, wherein each of the input adapters convert the enriched events into a format that the associated correlation engine uses to evaluate events against a plurality of rules;
  
  receiving an output from one or more of the plurality of correlation engines, the output generated by the one or more of the plurality of correlation engines upon determining that one or more of the evaluated events have triggered one or more of the plurality of rules, wherein one or more output adapters respectively associated with the one or more of the plurality of correlation engines convert the output into a correlated event; and
  
  executing an action associated with the correlated event to remediate a condition associated with the events that triggered the one or more of the plurality of rules.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising receiving at least one user-defined rule, wherein the user-defined rule includes an expression that triggers when events occur in a predetermined pattern.
  - 3. The method of claim 2, further comprising:
    - validating the at least one user-defined rule in accordance with semantic requirements of at least one of the correlation engines; and
      
      configuring the at least one correlation engine to enforce the validated user-defined rule.
  - 4. The method of claim 1, further comprising receiving at least one user-defined action, wherein the user-defined action includes one or more system actions to be taken when a predetermined rule triggers generation of a correlated event.
  - 5. The method of claim 4, wherein the predetermined rule includes at least one of the plurality of rules or a user-defined rule.
  - 6. The method of claim 1, further comprising providing an interface through which a user can start and stop operation of one or more of the plurality of correlation engines.

7. A pluggable event correlation system, comprising:
- a correlation runtime environment that manages correlation of a plurality of events received via an event stream, wherein the correlation runtime environment includes;
  
  an input manager that receives the event stream, wherein the input manager includes at least one adapter that converts the plurality of events in the event stream into a format compatible with one or more of a plurality of correlation engines;
  
  the plurality of correlation engines that receive the event stream from the input manager, the plurality of correlation engines operable to evaluate the events using a plurality of rules and to generate one or more correlated events when one or more of the evaluated events trigger one or more of the plurality of rules; and
  
  an action manager that identifies one or more actions associated with the generated correlated events and that executes the one or more identified actions;
  
  a configuration module that includes a rule builder and an action builder, wherein a user can define at least one rule through the rule builder that includes an expression to be triggered when events occur in a predetermined pattern, and wherein the user can define at least one action through the action builder to be associated with a predetermined rule triggering generation of a correlated event; and
  
  a management module that includes an engine manager and a status module, wherein the user can use the engine manager to start and stop operation of one or more of the plurality of correlation engines, validate the at least one rule defined through the rule builder in accordance with semantic requirements of at least one of the plurality of correlation engines, and configure the at least one of the plurality of correlation engines to enforce the validated rule, and wherein the user can use the status module to view statistical information, status information, and health information associated with activity in the correlation runtime environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Arrington, Jason Lee, Witt, Cheryl, Cooper, Michael Howard, Choudhary, Usman, Chakravarty, Dipto, Antony, John Melvin

Granted Patent

US 8,185,488 B2
Time in Patent Office

Days
Field of Search
US Class Current

706/11
CPC Class Codes

G06N 5/022 Knowledge engineering; Know...

System and method for correlating events in a pluggable correlation architecture

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for correlating events in a pluggable correlation architecture

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links