Alarm correlation method and system
First Claim
1. A method for correlating event indicators relating to a system comprising:
- defining a model of the system comprising a plurality of model elements;
after receiving an event indicator;
associating the event indicator with one of said plurality of model elements;
determining if the event indicator is a root event indicator by consulting root event criteria;
if the event indicator is a root event indicator then determining an impact group of model elements for the root event indicator and determining for each model element in the impact group whether one or more previous event indicators associated with the particular model element are correlatable to the root event indicator, and if so correlating the one or more event indicators to the root event indicator;
if the event indicator is not a root event indicator, determining whether the event indicator is correlatable with a previously determined root event indicator.
3 Assignments
0 Petitions
Accused Products
Abstract
An alarm correlation method for use in a network management device is provided in which alarm correlation is performed between identified root-cause alarms and alarms which have been raised on network elements satisfying particular relationships with the network element that raised the root-cause alarm. A hierarchical network model is provided consisting of a transport termination point for each connection at various layers terminated by each network element, and a connectivity model is maintained which identifies all connections in the network. An impact group of transport termination points for a given transport termination point defines where to look for alarms for correlation for a given root-cause alarm. Preferably, a link between the root-cause alarm and a transport termination point which has been examined is established which allows expeditious correlation of later received symptomatic alarms with the root-cause alarm.
190 Citations
18 Claims
-
1. A method for correlating event indicators relating to a system comprising:
-
defining a model of the system comprising a plurality of model elements;
after receiving an event indicator;
associating the event indicator with one of said plurality of model elements;
determining if the event indicator is a root event indicator by consulting root event criteria;
if the event indicator is a root event indicator then determining an impact group of model elements for the root event indicator and determining for each model element in the impact group whether one or more previous event indicators associated with the particular model element are correlatable to the root event indicator, and if so correlating the one or more event indicators to the root event indicator;
if the event indicator is not a root event indicator, determining whether the event indicator is correlatable with a previously determined root event indicator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
if the event indicator is a root event indicator, establishing a relation between one or more of the model elements in the impact group of the root event indicator and the root event indicator;
if the event indicator is not a root event indicator determining whether the event indicator is correlatable with a previously determined root even indicator to which a relation has been established for the model element associated with the event indicator.
-
-
3. A method according to claim 1 further comprising:
-
defining said model as a hierarchical system model such that each model element depends from another specific model element thereby forming a set of model layers;
maintaining a connectivity model consisting of, for each model layer a respective plurality of direct relations between pairs of model elements in the hierarchical system model;
determining the impact group of a root event indicator from the hierarchical system model and from the connectivity model.
-
-
4. A method according to claim 3 for modelling a system comprising system components capable of terminating one or more hierarchies of connections wherein:
-
a model element in said model is defined for each system component and a model element is defined for each termination of a connection of one of said hierarchies of connections;
maintaining said connectivity model comprises identifying relations between pairs of model elements which represent two endpoints of a given connection.
-
-
5. A method according to claim 4 wherein the impact group comprises:
-
(a) all model elements with relations to the root event indicator'"'"'s associated model element in the same model layer;
(b) all model elements in layers below the model layer of the root event indicator'"'"'s associated model element which depend directly or indirectly from the root event indicator'"'"'s associated model element;
(c) all model elements with relations to model elements identified in b).
-
-
6. A method according to claim 1 wherein each event indicator is an alarm, or information identifying an alarm.
-
7. A method according to claim 1 further comprising:
-
identifying on the basis of a previously determined root event indicator one or more expected event indicators;
wherein the step of determining whether the event indicator is correlatable with a previously determined root event indicator comprises comparing the event indicator with said one or more expected event indicators.
-
-
8. A method according to claim 1 further comprising:
-
for each model element in the impact group, identifying on the basis of a previously determined root event indicator one or more expected event indicators;
wherein the step of determining whether the event indicator is correlatable with a previously determined root event indicator comprises comparing the event indicator with said one or more expected event indicators for the model element associated with the event indicator.
-
-
9. A method according to claim 4 further comprising:
-
for each model element in the impact group, identifying on the basis of a previously determined root event indicator one or more expected event indicators;
wherein the step of determining whether the event indicator is correlatable with a previously determined root event indicator comprises comparing the event indicator with said one or more expected event indicators for the model element associated with the event indicator.
-
-
10. A method according to claim 9 wherein each event indicator is an alarm, or information identifying an alarm, and wherein each model element is a transport termination point in a communications network.
-
11. A method according to claim 1 further comprising the step of outputting the root event indicator and all event indicators which have been correlated to the root event indicator.
-
12. A network management device for managing a network of network elements which generate alarms, the network management device comprising:
-
an input for receiving alarms from the network;
an alarm correlator for maintaining a hierarchical connectivity model of the network comprising a plurality of model elements and connections between model elements, for associating each received alarm with one of the plurality of model elements in said hierarchical connectivity model, and for correlating a first alarm associated with a first model element in said hierarchical connectivity model with alarms associated with model elements in an impact group of model elements for said first model element;
wherein each model element is a transport termination point, and said hierarchical network model comprises a hierarchical model of each network element in the network having a transport termination point for each connection terminated by the network element, the transport termination points being organized hierarchically with each termination point of a lower layer connection being served by a termination point of a hither layer connection, and said hierarchical network model further comprising a connectivity model of the network in which connections in the network are modelled as connections between pairs of transport termination points in the hierarchical network model;
wherein said impact group of model elements comprises all model elements directly connected to the first model element in the same layer, and all model elements in layers below the first model element which depend directly or indirectly upon the first model element and all model elements directly connected to any such model elements. - View Dependent Claims (13, 14, 15, 16, 17, 18)
a root-cause determiner for determining if an alarm is a root-cause alarm or a symptomatic alarm.
-
-
14. A network management device according to claim 13 wherein upon identification of a root-cause alarm, a correlation state is created by the alarm correlator, and the correlation state is used to examine all transport termination points in the root-cause alarm'"'"'s impact group for symptomatic alarms.
-
15. A network management device according to claim 14 wherein the correlation state establishes a link between transport termination points in the impact group and the root-cause alarm such that later symptomatic alarms on the transport termination points in the impact group can be quickly correlated with the root-cause alarm.
-
16. A network management device according to claim 15 wherein said alarm correlator identifies a list of expected alarm for each transport termination point in the impact group, and during said examination of the transport termination points in the impact group leaves a link between the root-cause alarm and the expected alarms in said list which were not found during said examination.
-
17. A network management device according to claim 16 further comprising one or more rule sets defining how the impact group is determined and defining how alarms are correlated.
-
18. A network management device according to claim 12 wherein said hierarchical connectivity model is dynamically maintained.
Specification