1. Technical Field
The present invention relates to data processing systems and, in particular, to event handlers. Still more particularly, the present invention provides a method, apparatus, and program for associating related heterogeneous events in an event handler.
2. Description of Related Art
An event management system is software that monitors servers, workstations, and network devices for routine and non-routine events. For example, routine events such as log-ons help determine network usage, while unsuccessful log-ons are warnings that crackers may be at work or that the network access system is failing. Event managers provide real-time information for immediate use and log events for summary reporting used to analyze network performance.
An event management system is typically made up of client agents that reside in the remote devices, an event handler for gathering the events, an event database, and a reporting system to deliver the results in various formats. Event handlers are typically proprietary for a particular application model and the events they receive and process tend to be homogeneous in terms of supported attributes, attribute syntax, and attribute semantics. An event handler may display events on a console, capture events and store them in a database, raise alarms when certain events are received, forward events to other event handlers, perform data reduction, and correlate related events in order to produce more meaningful results.
Event handlers become more difficult to design and implement when the events have irregular characteristics, such as different syntaxes or semantics. This often happens when an event handler must handle events generated by a variety of different types of applications, e.g., operating systems, Web servers, database servers, intrusion detection systems, antivirus software, firewalls, routers, etc. It may be very difficult to develop logic that understands the variety of events that can be received in sufficient detail to detect the relationships between different events. Again, this is particularly true when the events are received from heterogeneous data sources.
When a variety of events from different data sources is received, the events may include different attributes. Some of the events may be common across certain sets of events and other events may not be common. This makes it difficult to implement algorithms to determine when one or more events are associated in some way.
One prior art solution provides a set of adapters at the application to convert the format of information produced by the application to a standard format understood by the event handler. This is a simple mapping step and each adapter has comparatively little intelligence; an adapter only knows how to map from one format to another. However, the event handler cannot properly handle events that are not in the standard format. Every nonstandard application must be provided with an adapter. Thus, if a nonstandard application is not provided with an adapter, the events may not be handled properly or may be simply discarded.
Therefore, it would be advantageous to provide an improved mechanism for associating related heterogeneous events in an event handler.