System, method and computer program product for event correlation in a distributed computing environment

US 6,336,139 B1
Filed: 06/03/1998
Issued: 01/01/2002
Est. Priority Date: 06/03/1998
Status: Active Grant

First Claim

Patent Images

1. A method of event correlation implemented in a distributed computer network, comprising the steps of:

deploying a software component to a given node in the distributed computer network, the software component having associated therewith at least first and second correlation rules having a given relationship, each of the respective first and second correlation rules recognizing a given pattern of one or more events indicative of a given condition;

applying an event stream at the given node to the first and second correlation rules; and

initiating a given action if the given relationship is met.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of event correlation implemented within a distributed environment having a management server and a set of managed machines. The preferred event correlation method begins by establishing a discrete set of correlation rules. One preferred implementation of a correlation rule is a software-based state machine. Each correlation rule is adapted to recognize a given pattern of one or more events indicative of a given condition. A set of correlation rules comprise a set of efficiently-coupled state machines, each of which is optimized for a particular, low-level logical function. Then, as events are received and/or generated at the machine, the events are examined by the state machines comprising the correlator to search for the defined event patterns. If a given event pattern is recognized, a given condition sought to be monitored has occurred, and the event correlator may then be used to take a given action.

Citations

35 Claims

1. A method of event correlation implemented in a distributed computer network, comprising the steps of:
- deploying a software component to a given node in the distributed computer network, the software component having associated therewith at least first and second correlation rules having a given relationship, each of the respective first and second correlation rules recognizing a given pattern of one or more events indicative of a given condition;
  
  applying an event stream at the given node to the first and second correlation rules; and
  
  initiating a given action if the given relationship is met.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein a respective correlation rule is a matching rule triggered by an event that satisfies a given search criteria defined in the matching rule.
  - 3. The method as described in claim 1 wherein the respective correlation rule is a duplicate rule triggered by a given event associated with the given condition that ignores the given event for a specified time period after occurrence of the given condition.
  - 4. The method as described in claim 1 wherein the respective correlation rule is a pass through rule triggered by a given event sequence.
  - 5. The method as described in claim 4 wherein the given event sequence is in a specified or random order.
  - 6. The method as described in claim 1 wherein the respective correlation rule is a reset rule triggered by non-occurrence of a given event sequence.
  - 7. The method as described in claim 1 wherein the respective correlation is a threshold rule triggered by a specified number of similar events in the event stream.
  - 8. The method as described in claim 1 wherein at least the first correlation rule is inactive during at least a portion of a given time period.

9. A method of event correlation implemented in a distributed computer network having a plurality of objects to be monitored for given conditions, comprising the steps of:
- at each of a set of given nodes in the network, establishing a discrete set of correlation rules, each correlation rule recognizing a given pattern of one or more events indicative of a given condition;
  
  responsive to receipt at the given node of a stream of events, using the set of correlation rules to determine an occurrence of a given condition identified by a correlation rule in the set; and
  
  taking a given action upon occurrence of the given condition.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method as described in claim 9 wherein the set of correlation rules at a given node includes a matching rule triggered by an event that satisfies a given search criteria defined in the matching rule.
  - 11. The method as described in claim 9 wherein the set of correlation rules at a given node includes a duplicate rule triggered by a given event associated with the given condition, wherein the given action includes ignoring the given event for a specified time period after occurrence of the given condition.
  - 12. The method as described in claim 9 wherein the set of correlation rules at a given node includes a pass through rule triggered by a given event sequence.
  - 13. The method as described in claim 9 wherein the set of correlation rules at a given node includes a reset rule triggered by non-occurrence of a given event sequence.
  - 14. The method as described in claim 9 wherein the set of correlation rules at a given node includes a threshold rule triggered by a specified number of similar events in the event stream.

15. A method of event correlation in a distributed computer network having a management server servicing a set of machines, comprising the steps of:
- deploying a management infrastructure throughout the computer network, the management infrastructure including a monitor at selected machines;
  
  at a given machine, establishing a set of correlation rules, each correlation rule recognizing a given pattern of one or more events indicative of a given condition to be monitored;
  
  at the given machine, using the set of correlation rules to determine an occurrence of a given condition identified by a correlation rule in the set; and
  
  taking a given action upon the occurrence of the given condition.
- View Dependent Claims (16)
- - 16. The method as described in claim 15 wherein the correlation rules consist of matching correlation rules, duplicate correlation rules, pass through correlation rules, reset correlation rules and threshold correlation rules.

17. An event correlator for use in a distributed enterprise having a management server servicing a set of managed machines, comprising:
- means for defining a discrete set of correlation rules, each correlation rule recognizing a given pattern of one or more events indicative of a given condition to be monitored; and
  
  means responsive to receipt of a stream of events for using the set of correlation rules to determine an occurrence of a given condition identified by a correlation rule in the set.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The event correlator as described in claim 17 wherein the means for defining comprises a set of state machines.
  - 19. The event correlator as described in claim 18 wherein at least one of the state machines implements a matching rule triggered by an event that satisfies a given search criteria defined in the matching rule.
  - 20. The event correlator as described in claim 18 wherein at least one of the state machines implements a duplicate rule triggered by a given event associated with the given condition, wherein the given action includes ignoring the given event for a specified time period after occurrence of the given condition.
  - 21. The event correlator as described in claim 18 wherein at least one of the state machines implements a pass through rule triggered by a given event sequence.
  - 22. The event correlator as described in claim 18 wherein at least one of the state machines implements a reset rule triggered by non-occurrence of a given event sequence.
  - 23. The event correlator as described in claim 18 wherein at least one of the state machines implements a threshold rule triggered by a specified number of similar events in the event stream.

24. Event correlation system for use in a distributed computer network having a management server servicing a set of managed computers, comprising:
- a software agent for implementing a resource monitoring task;
  
  a runtime environment installed at a given managed computer, wherein the runtime environment includes a runtime engine for executing the software agent to effect the resource monitoring task; and
  
  a monitor comprising;
  
  means for defining a discrete set of correlation rules, each correlation rule recognizing a given pattern of one or more events indicative of a given condition to be monitored; and
  
  means responsive to receipt of a stream of events for using the set of correlation rules to determine an occurrence of a given condition identified by a correlation rule in the set.
- View Dependent Claims (25, 26)
- - 25. The event correlation system as described in claim 24 wherein the runtime engine is a virtual machine in a browser.
  - 26. The event correlation system as described in claim 25 wherein the software agent is an applet.

27. A computer program product for use in a computer connected within a distributed computing environment having a management server servicing a set of managed computers, comprising:
- means for defining a discrete set of correlation rules, each correlation rule recognizing a given pattern of one or more events indicative of a given condition to be monitored; and
  
  means responsive to receipt of a stream of events for using the set of correlation rules to determine an occurrence of a given condition identified by a correlation rule in the set.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The computer program product as described in claim 27 wherein the means for defining comprises a set of state machines.
  - 29. The computer program product as described in claim 28 wherein at least one of the state machines implements a matching rule triggered by an event that satisfies a given search criteria defined in the matching rule.
  - 30. The computer program product as described in claim 28 wherein at least one of the state machines implements a duplicate rule triggered by a given event associated with the given condition, wherein the given action includes ignoring the given event for a specified time period after occurrence of the given condition.
  - 31. The computer program product as described in claim 28 wherein at least one of the state machines implements a pass through rule triggered by a given event sequence.
  - 32. The computer program product as described in claim 28 wherein at least one of the state machines implements a reset rule triggered by non-occurrence of a given event sequence.
  - 33. The computer program product as described in claim 28 wherein at least one of the state machines implements a threshold rule triggered by a specified number of similar events in the event stream.

34. A computer connected within a distributed computing environment having a management server servicing a set of managed computers, comprising:
- a processor;
  
  an operating system;
  
  a monitor having an event correlator, the event correlator comprising;
  
  means for defining a discrete set of correlation rules, each correlation rule recognizing a given pattern of one or more events indicative of a given condition to be monitored; and
  
  means responsive to receipt of a stream of events for using the set of correlation rules to determine an occurrence of a given condition identified by a is correlation rule in the set.
- View Dependent Claims (35)
- - 35. The computer as described in claim 34 wherein the means for defining of the event correlator comprises a set of state machines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Feridun, Metin, McNally, Michael, Vetter, Brian Jay
Primary Examiner(s)
Rinehart, Mark H.
Assistant Examiner(s)
Thompson, Marc D.

Application Number

US09/089,965
Time in Patent Office

1,308 Days
Field of Search

709/202, 709/223, 709/224, 714/4, 714/25, 714/26, 714/37, 714/39, 714/47
US Class Current

709/224
CPC Class Codes

G06F 11/3664   Environments for testing or...

G06F 2209/544   Remote

G06F 2209/546   Xcast

G06F 9/542   Event management; Broadcast...

System, method and computer program product for event correlation in a distributed computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and computer program product for event correlation in a distributed computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links