1. Technical Field
The present invention relates in general to a system and method for enhancing event correlation with exploitation of external data. More particularly, the present invention relates to a system and method for including rule language in a correlation rule that instructs a correlation engine to access external data in order to effectively select and correlate events.
2. Description of the Related Art
In a typical customer environment, many Information Technology (IT) resources communicate with each other in order to support the customer's business processes. These resources include components such as network devices, servers, and applications. In addition to communicating with each other, many resources may also depend upon each other. For example, an application may depend upon a database and a server that supports the database. At large-scale deployments, IT resources and business processes typically include a tremendous amount of resource dependencies.
When a problem occurs with a resource, a system “event” is typically generated that informs a system administrator of the problem. However, with dependent resources, a problem in one resource may cause problems with many other dependent resources and business processes. This domino effect may quickly spread across a computer system, producing an overwhelming amount of events. A challenge found is for a system administrator to correlate the multitude of events in order to identify the cause of the problem.
Furthermore, another challenge found is that data that is “carried” along with the events is typically insufficient to effectively perform event correlation. In an attempt to resolve this issue, existing event correlation techniques may include dependencies and business priorities as part of its correlation rules. However, due to dynamically changing resource dependencies, this approach requires a tremendous amount of time to update and maintain the dependencies within the correlation rules.
Some computer systems may generate “business” events in response to particular actions. For example, a business order tracking system may generate an event when it receives an order and when it fulfills an order. In this example, the business order tracking system may wish to correlate “order created” events with “order completed” events for orders that are received from its preferred customers (e.g., fulfilled within a particular time). A challenge found again, however, is that the data that is included in the events is typically insufficient to effectively correlate orders with a customer's status level.
What is needed, therefore, is a system and method to improve event correlation techniques in a dynamic computer system environment.