1. Field of the Invention
The present invention relates to enterprise computing monitoring and management, and more particularly to event processing in an enterprise computing monitoring and management system.
2. Description of the Related Art
Enterprise computing monitoring relates to the monitoring of the state of the different, granular components of an enterprise computing environment, as well as the state of the enterprise computing environment in the aggregate. Generally intended for use by network and application administrators, enterprise computing monitoring systems monitor selected elements in the network of components forming the enterprise computing environment. Enterprise computing monitoring systems are traditionally organized in a hierarchical fashion, with sensors distributed throughout the network of components forming the enterprise computing environment. These sensors relay monitored events to aggregation nodes, which in turn can relay the monitored events to a smaller set of aggregation nodes. Monitored events can be interpreted, translated and provided to interacting administrators in order to facilitate the management of the enterprise computing environment.
A skeletal enterprise monitoring system can collect events propagated from different levels of the hierarchy of nodes defining the enterprise computing monitoring system. The collected events, in turn, can be reported plainly through a user interface in a monitoring application and it remains incumbent upon the user to interpret and act upon the reported events. Given the complexity of the modern enterprise computing environment, however, commercially viable enterprise monitoring systems provide an enhanced degree of event interpretation and remedial, automated action taking.
Clearly, nodes in the hierarchy of an enterprise monitoring system can be interrelated such that events occurring in a child node of the hierarchy can form the root cause of other events originating at higher levels of the hierarchy in parent nodes. Consequently, plainly reporting every event arising in the hierarchy can result in an event flood and can quickly overwhelm the enterprise computing monitoring system. Of course, capturing every event stemming from a root cause event is not as helpful as correcting the root cause event. In particular, resolving the cause of root cause event in the event source invariably leads to the resolving of all other resulting events.
To achieve efficiencies in monitoring, event correlation engines can be embedded within nodes in the network of elements of the enterprise computing environment. Consequently, the event correlation engines can most quickly identify and handle events arising from within the node without depending upon event correlation engines higher in the hierarchy of enterprise computing monitoring systems to process these events. In this regard, correlation rules applied by event correlation engines generally trigger responsive events for detected events. Yet, in many cases, important event patterns can be detected only at a higher level in the hierarchy. In the latter circumstance, it is desirable to place an event correlation engine at a higher level in the hierarchy so as to capture and process events stemming from many different nodes below.
Correlation rules often are composed by domain experts and processed by a correlation engine at a selected level in the hierarchy of the enterprise computing monitoring system so as to achieve optimal efficiency in processing events below. Coordinating the deployment of correlation rules can be challenging in an expansive enterprise computing environment. Consequently, in many enterprise systems, the correlation engine is centralized at a highest level in the hierarchy such that all events generated in environment can be captured and processed in the correlation engine. Notwithstanding, scalability will be sacrificed in this circumstance.