1. The Field of the Invention
The present invention relates to systems and methods for reporting the occurrence of events in a computer system to event subscriber software. More specifically, the present invention relates to filtering events detected by event detection components of a computer system in order to identify a subset of the events that has been requested by the event subscriber software.
2. The Prior State of the Art
As computers and computer network systems have become more sophisticated, processes for detecting the occurrence of events in hardware and software components have become increasingly important and complex. Knowledge of events occurring in computer systems allows management software to reliably identify the components and configuration of a computer system, to respond to hardware failure, or to otherwise monitor and improve the efficient operation of the system. The range of events that may be detected by computer systems and reported to management or other subscriber applications is essentially unlimited. Examples of computer detectable events, to name just a few, include disk drive activity and errors, installation or deinstallation of hardware components, network server activities and failures, and home, business, or network security breaches.
Events are often detected by drivers associated with hardware components, operating system software, and instrumentation specifically designed to monitor hardware or software. As the number of hardware components, the complexity of software, and the size of computer networks have grown over the years, it has become increasingly difficult to create management applications that can become aware of the occurrence of events in an efficient manner.
FIG. 1 is a schematic diagram illustrating a conventional approach for informing an event subscriber application of the occurrence of events. A computer system 10 has a plurality of device drivers 12 operating in kernel mode and an event subscriber 14 operating in user mode. The event subscriber can be, for example, a management program for monitoring events occurring in computer system 10 and responding thereto to improve system efficiency. Computer system 10 also has a Simple Network Management Protocol (SNMP) provider 16, which is a computer-executable program, written to a standard protocol, for detecting events occurring in a network, such as network 18 of FIG. 1.
Event subscriber 14 can be any computer-executable program written to respond to selected events detected by drivers 12, SNMP provider 16, or both. Event subscriber 14 could be local (as shown in FIG. 1) or instead could be on a remote machine with respect to computer system 10. Other systems have used other types of event subscribers/consumers instead of event subscribers. In order to learn of the events detected by drivers 12, the executable code of event subscriber 14 must have been written to be compatible with the interfaces 20 exposed by drivers 12. Likewise, in order to learn of events occurring in network 18, the executable code of event subscriber 14 must be written to be compatible with the interface 22 exposed by SNMP provider 16.
The requirement that event subscribers in conventional systems must be compatible with and issue the proper requests to interfaces associated with event providers, drivers, or other instrumentation for detecting events has introduced an undesirable amount of complexity to the process of monitoring events. In many cases, the event subscriber 14 must be written to many different types of interfaces, particularly when the number of device drivers or event providers becomes large.
In conventional systems, such as that illustrated by FIG. 1, any filtering of events reported by the event providers or drivers has been conducted at each event subscriber 14. Thus, any events detected by drivers 12 or by SNMP provider 16 in this example would be reported to event subscriber 14, whether it is local, as shown, or located at a remote machine. If event subscriber 14 were interested in only a subset of all the events detected by the system, the events not of interest would be discarded at event subscriber 14 after they had been transmitted thereto. As a result, the transmission of notifications of events from multiple drivers and event providers has generated large amounts of data traffic, much of which is not of interest to the event subscribers. This problem has been particularly evident in systems having remote event subscribers, in which notifications of events are transmitted over a network infrastructure. Thus, as the number of detected events and the number of drivers 12 and event providers such as SNMP provider 16 grows large, the data traffic generated in computer system 10 and in associated networks can be significant.
In view of the foregoing, there is a need in the art for systems to facilitate the reporting of the occurrence of events from event providers, drivers, and other instrumentation. It would be an advancement in the art to provide system for reporting events that do not require the writers of event subscriber applications to have a complete knowledge of the various interfaces associated with drivers and event providers. It would also be advantageous to provide systems that could allow only the events of interest to event subscribers to be reported thereto, while events not of interest are not reported, thereby decreasing the network traffic that has been needed in prior art systems. Such systems would be particularly valuable if they could notify subscribers of the occurrence of events regardless of the capabilities of the source of the events (i.e., event providers, instrumentation, etc.).
The present invention relates to systems and methods for filtering events detected by event providers in computer systems in order to report to subscriber programs only those events that are of interest. Substantially any events capable of being detected by computers or instrumentation associated with computers can be filtered and reported according to the invention. Examples include, but are not limited to, disk drive activity and errors, installation or deinstallation of hardware components, network server activities and failures, and home, business, or network security breaches.
Filtering is performed by an event-filtering component that provides a standardized interface to event providers and to subscriber programs. In one implementation, filtering is conducted by associating event-filtering definitions written in query language with the subscriber programs. The terms of the query-based definitions establish thresholds and filtering conditions that permit only the events of interest to particular subscriber programs to be reported thereto. Moreover, the query-based definitions can be implemented in an event-filtering component relatively close to the source of the events, thereby reducing the data traffic that has been needed in prior art systems to notify subscriber programs of the occurrence of events. For example, the query-based definitions can permit filtering to occur at a local machine before transmitting notifications of events to subscriber programs located at remote machines. Subscriber programs also do not need to be written to provide filtering, since the rich event-filtering capabilities of the invention are built into the infrastructure of the systems of the invention.
In order to establish a context in which the query-based event-filtering definitions can be understood and processed, the computer system can also include a schema repository storing an object-oriented event classification of event classes. The event classes defined in the event classification comprehend a set of possible events, in the sense that any event detected and reported by the event providers belongs to one of the event classes. The event classification can be defined hierarchically, such that event classes are related one to another in parent/child relationships.
As occurrences of events are reported to the event-filtering component by the event providers, the events are compared with the event-filtering definitions to identify the events that are to be reported to the subscriber programs. The events that satisfy one or more of the event-filtering definitions are reported to the corresponding subscriber programs, while the events that do not satisfy any event-filtering definition are discarded or otherwise not sent to the subscriber programs.
The event-filtering component can also maintain event-reporting definitions associated with the event providers to efficiently match event providers to subscriber programs. To present just one example, if an event-reporting definition associated with a particular event provider specifies that any event reported by the event provider necessarily satisfies an event-filtering definition associated with a particular subscriber program, the filtering process become relatively simple. In this situation, when the event-filtering component receives notification of the occurrence of an event from the foregoing event provider, the event-filtering component can report the event to the subscriber program without having to examine the parameters of the event.
A conventional query language, such as that typically used to retrieve data associated with relational databases, can be extended to filter events on the basis of the time of their occurrence. For example, event-filtering definitions can specify that events are to be grouped and reported according to selected time intervals. This feature is particularly useful to manage the reporting of frequent events that would otherwise consume large amounts of resources if the events were to be individually reported. The event-filtering definitions can also specify that the event-filtering component is to poll drivers or other instrumentation at a selected frequency when there exists no event driver to report the occurrence of particular events.
The use of the event-filtering component in the computer systems can also provide a standardized interface to which subscriber programs and event providers can be written. Using the standardized interface, the subscriber programs register with the event-filtering component of the invention to define which events are to be delivered to the subscriber programs. The event-filtering component provides notification of events to the registered subscriber programs regardless of the capabilities of the event providers, instrumentation, or other sources of the events. If there is no event provider associated with a requested event, the systems of the invention poll the event data sources directly to detect the occurrence of the event. Such functionality is transparent from the standpoint of the subscriber program, which receives notification of events in a standard way regardless of the type of event providers included in the system, or whether event providers are included in the system at all. In addition, subscriber programs do not need to be written to particular interfaces associated with the event providers, drivers, and other instrumentation.
Additional objects and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The objects and advantages of the invention may be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. These and other objects and features of the present invention will become more fully apparent from the following description and appended claims, or may be learned by the practice of the invention as set forth hereinafter.