System and method for tracking and filtering alerts in an enterprise and generating alert indications for analysis
First Claim
Patent Images
1. A method of producing at least one alert indication based on a number of events derived from an enterprise comprising:
- providing a plurality of enterprise device outputs, at least a portion of the outputs having different formats, each output containing an event relating to an enterprise device;
translating each output into a common format event comprising;
matching data values in the device output with a signature specification for each enterprise device, the signature specification containing;
a number of signatures;
a first location identifier for each signature; and
a first key;
wherein the signature is a listing of names found in the device output, the first location identifier determines the method used to locate the name in the device output, and the first key determines where to locate the name in the device output;
identifying a message type from a plurality message types for each enterprise device based on the device output as part of the translated common format event;
adding knowledge to the common format event using knowledge base table files to generate a knowledge-containing common format event;
applying one or more rules from a set of rules to the knowledge-containing common format event to generate the alert indication; and
generating the alert indication, wherein the alert indication includes at least a text message describing the event contained in the output of the enterprise device.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for declaring alert indications that occur in an enterprise comprising translating a number of device outputs into a common format event using a number of translation files, and generating a number of knowledge-containing common format events based on matches between the common format events and knowledge base tables. A set of rules determines whether the knowledge base common format events rise to an alert indication for further automated correlation and analysis.
-
Citations
21 Claims
-
1. A method of producing at least one alert indication based on a number of events derived from an enterprise comprising:
-
providing a plurality of enterprise device outputs, at least a portion of the outputs having different formats, each output containing an event relating to an enterprise device; translating each output into a common format event comprising;
matching data values in the device output with a signature specification for each enterprise device, the signature specification containing;a number of signatures;
a first location identifier for each signature; anda first key; wherein the signature is a listing of names found in the device output, the first location identifier determines the method used to locate the name in the device output, and the first key determines where to locate the name in the device output; identifying a message type from a plurality message types for each enterprise device based on the device output as part of the translated common format event; adding knowledge to the common format event using knowledge base table files to generate a knowledge-containing common format event; applying one or more rules from a set of rules to the knowledge-containing common format event to generate the alert indication; and generating the alert indication, wherein the alert indication includes at least a text message describing the event contained in the output of the enterprise device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 20, 21)
-
-
14. A system for producing at least one alert indication based on a number of events derived from an enterprise comprising:
-
a plurality of enterprise devices, each device capable of producing an output; a number of translation files, the translation files allowing the output to be translated into a common format event, the translation comprising; matching data values in the device output with a signature specification for each enterprise device, the signature specification containing; a number of signatures;
a first location identifier for each signature; anda first key; wherein the signature is a listing of names found in the device output, the first location identifier determines how to locate the name in the device output, and the first key determines where to locate the name in the device output; identifying a message type from a plurality message types for each enterprise device based on the device output as part of the translated common format event; a number of knowledge base table files, matching of the common format event with one or more of the knowledge base table files adding knowledge from the matched file to generate a knowledge-containing common format event; a number of rule files, the rule files governing generation of the alert indication; and a rules processor for generating the alert indication, wherein the alert indication includes at least a text message describing the event contained in the output of the enterprise device. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification