Almost any device within a particular network typically generates various events that describe activity associated with the device. However, correlating logs with events that may have been generated by many different devices distributed across a network can often be very difficult because the logs may be written in different formats or describe different types of activity, among other things. Furthermore, many event logs often repeat a particular event multiple times, creating large event volumes that can be difficult to analyze in a manner that extracts useful information. In modern information technology environments, where change management and access control presents important challenges, the large event volumes that existing correlation systems generate can substantially interfere with network management.
For example, historically tracking user activity in organizations such as university environments or campus-wide networks that do not have centralized authentication and access controls can be particularly difficult. Nonetheless, tracking user activity may be important to proper network management because certain activity patterns may reflect security breaches, compliance issues, or other problems in the network. In addition, tracking network addresses for hardware devices can be a daunting task, yet having an ability to track network addresses can have substantial value for tracking changes and activity in the network. However, existing systems tend to use techniques that fall short in suitably scouring networks to obtain and maintain updated network device addresses. For example, due to the large event volumes that existing correlation systems generate, events must be normalized to a particular format that may be unfamiliar or difficult to analyze, and processing the large event volumes can interfere with detecting and managing changes and activity in real-time.
Existing systems suffer from these and other problems.