System and method for correlating events in a pluggable correlation architecture

US 8,185,488 B2
Filed: 04/17/2008
Issued: 05/22/2012
Est. Priority Date: 04/17/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A method for correlating events in a pluggable event correlation system, comprising:

deploying a plurality of correlation engines into a correlation runtime environment having an extensible service-oriented architecture that includes an exposed application program interface to configure the correlation runtime environment with different semantic formats used in the plurality of correlation engines;

receiving an event stream that includes having a plurality of events that originate from a plurality of event sources;

converting the plurality of events in the event stream into the different semantic formats used in the plurality of correlation engines using a plurality of input adapters defined with the exposed application program interface;

correlating, the plurality of events against a plurality of rules using the plurality of correlation engines deployed into the correlation runtime environment, wherein the plurality of correlation engines evaluate the plurality of events in the different semantic formats used therein to correlate the plurality of events against the plurality of rules;

converting outputs that one or more of the plurality of correlation engines generated to indicate that one or more of the evaluated plurality of events have triggered one or more of the plurality of rules, wherein one or more output adapters defined with the exposed application program interface convert the outputs from the different semantic formats used in the one or more of the plurality of correlation engines into one or more correlated events associated with the correlation runtime environment; and

executing one or more actions that the correlation runtime environment associates with the one or more correlated events to remediate a condition that caused the one or more of the plurality of correlation engines to indicate that the one or more of the plurality of rules have been triggered, wherein the one or more actions have a different format than the semantic formats used in the plurality of correlation engines.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for pluggable event correlation may include an input manager that receives a plurality of events and converts the events into a format compatible with one or more of a plurality of correlation engines. The correlation engines may then evaluate the converted events using various rules and generate correlated events when the evaluated events trigger at least one of the rules. An action manager may execute remedial actions when the correlation engines generate the correlated events. Moreover, extensibility may be provided by enabling a user to define rules to be triggered when events occur in a predetermined pattern, and actions to be executed when a predetermined rule triggers a correlated event. Further, to plug a new correlation engine into the system, adapters may be deployed to handle input and output, while the user-defined rules may be validating according to semantic requirements of the new correlation engine.

Citations

9 Claims

1. A method for correlating events in a pluggable event correlation system, comprising:
- deploying a plurality of correlation engines into a correlation runtime environment having an extensible service-oriented architecture that includes an exposed application program interface to configure the correlation runtime environment with different semantic formats used in the plurality of correlation engines;
  
  receiving an event stream that includes having a plurality of events that originate from a plurality of event sources;
  
  converting the plurality of events in the event stream into the different semantic formats used in the plurality of correlation engines using a plurality of input adapters defined with the exposed application program interface;
  
  correlating, the plurality of events against a plurality of rules using the plurality of correlation engines deployed into the correlation runtime environment, wherein the plurality of correlation engines evaluate the plurality of events in the different semantic formats used therein to correlate the plurality of events against the plurality of rules;
  
  converting outputs that one or more of the plurality of correlation engines generated to indicate that one or more of the evaluated plurality of events have triggered one or more of the plurality of rules, wherein one or more output adapters defined with the exposed application program interface convert the outputs from the different semantic formats used in the one or more of the plurality of correlation engines into one or more correlated events associated with the correlation runtime environment; and
  
  executing one or more actions that the correlation runtime environment associates with the one or more correlated events to remediate a condition that caused the one or more of the plurality of correlation engines to indicate that the one or more of the plurality of rules have been triggered, wherein the one or more actions have a different format than the semantic formats used in the plurality of correlation engines.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the plurality of rules include expressions that the plurality of correlation engines evaluate to determine whether the event stream includes one or more events that occurred in a predetermined pattern.
  - 3. The method of claim 2, further comprising:
    - validating the plurality of rules per the different semantic formats used in the plurality of correlation engines; and
      
      deploying the plurality of rules into the correlation runtime environment in response to validating the plurality of rules per the different semantic formats used in the plurality of correlation engines.
  - 4. The method of claim 1, further comprising:
    - validating the one or more actions per the different semantic formats used in the plurality of correlation engines; and
      
      deploying the one or more actions into the correlation runtime environment in response to validating the one or more actions per the different semantic formats used in the plurality of correlation engines, wherein the one or more deployed actions define the outputs that the one or more of the plurality of correlation engines generate to indicate that the one or more of the plurality of rules have been triggered.
  - 5. The method of claim 1, further comprising managing the correlation runtime environment via a management module that provides an interface to start and stop the plurality of correlation engines.

6. A pluggable event correlation system, comprising:
- a plurality of correlation engines deployed into a correlation runtime environment having an extensible service-oriented architecture, wherein the extensible service-oriented architecture includes an exposed application program interface to configure the correlation runtime environment with different semantic formats used in the plurality of correlation engines;
  
  an input manager configured to;
  
  receive an event stream having a plurality of events that originate from a plurality of event sources; and
  
  convert the plurality of events in the event stream into the different semantic formats used in the plurality of correlation engines using a plurality of input adapters defined with the exposed application program interface;
  
  an engine manager configured to start the plurality of correlation engines deployed into the correlation runtime environment to cause the plurality of correlation engines to correlate the plurality of events against a plurality of rules, wherein the plurality of correlation engines are configured to evaluate the plurality of events in the different semantic formats used therein to correlate the plurality of events against the plurality of rules;
  
  one or more output adapters defined with the exposed application program interface, wherein the one or more output adapters are configured to;
  
  receive outputs that one or more of the plurality of correlation engines generated to indicate that one or more of the plurality of events have triggered one or more of the plurality of rules; and
  
  convert the outputs that the one or more of the plurality of correlation engines generated from the different semantic formats used therein into one or more correlated events associated with the correlation runtime environment;
  
  an action manager configured to execute one or more actions that the correlation runtime environment associates with the one or more correlated events to remediate a condition that caused the one or more of the plurality of correlation engines to indicate that the one or more of the plurality of rules have been triggered;
  
  a configuration module coupled to the correlation runtime environment, wherein the configuration module includes;
  
  a rule builder configured to receive one or more rule definitions to define expressions associated with the plurality of rules via the exposed application program interface, wherein the plurality of correlation engines are further configured to evaluate the defined expressions associated with the plurality of rules to determine whether the event stream includes one or more events that occurred occur in a predetermined pattern; and
  
  an action builder configured to receive one or more action definitions to define the one or more actions associated with the one or correlated events; and
  
  a management module coupled to the configuration module and the correlation runtime environment, wherein the management module includes;
  
  an engine manager configured to start and stop the plurality of correlation engines; and
  
  a status module configured to display statistical information, status information, and health information associated with activity in the correlation runtime environment.
- View Dependent Claims (7, 8, 9)
- - 7. The system of claim 6, wherein the engine manager is further configured to:
    - validate the expressions defined with the rule builder per the different semantic formats used in the plurality of correlation engines; and
      
      deploy the plurality of rules and the expressions associated therewith into the correlation runtime environment in response to validating the expressions defined with the rule builder per the different semantic formats used in the plurality of correlation engines.
  - 8. The system of claim 6, wherein the one or more actions defined with the action builder have a different format than the semantic formats used in the plurality of engines.
  - 9. The system of claim 6, wherein the engine manager is further configured to:
    - validate the one or more actions defined with the action builder per the different semantic formats used in the plurality of correlation engines; and
      
      deploy the one or more actions into the correlation runtime environment in response to validating the one or more actions per the different semantic formats used in the plurality of correlation engines, wherein the one or more deployed actions define the outputs that the one or more of the plurality of correlation engines generate to indicate that the one or more of the plurality of rules have been triggered.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Chakravarty, Dipto, Choudhary, Usman, Antony, John Melvin, Cooper, Michael Howard, Arrington, Jason Lee, Witt, Cheryl
Primary Examiner(s)
Gaffin, Jeffrey A
Assistant Examiner(s)
Chang, Li-Wu

Application Number

US12/081,540
Publication Number

US 20090265288A1
Time in Patent Office

1,496 Days
Field of Search

None
US Class Current

706/47
CPC Class Codes

G06N 5/022 Knowledge engineering; Know...

System and method for correlating events in a pluggable correlation architecture

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for correlating events in a pluggable correlation architecture

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links