In computer systems, for example local area network and mainframe computer systems, event management systems are employed to record a variety of system events initiated by a user. Computer operating systems include basic capabilities for recording the various events in any of a number of log files. An operating system can be programmed to generate security alerts upon the occurrence of certain event. Although the logs and security alerts generated by the operating system represent a picture of the activity occurring within a system, that picture is somewhat limited in scope and functionality.
Event management tools provide additional capabilities beyond those made available by an operating system, or application running in the operating system environment. Such tools allow for higher-level management of the event logs and security alerts recorded and generated by the underlying operating system. In one example, namely the Consul/eAudit management tool suite available from Consul Risk Management B.V., Delft, The Netherlands, security logs and real-time security data recorded by the underlying operating systems, applications, or security point solutions, are translated into generalized security events, each event being characterized by five attributes, namely: “who” (the user initiating the event); “what” (the type of event that was initiated); “when” (the time at which the event occurred); “where” (the system or device on which the event occurred); and “on what” (the file, device, or setting that was accessed by the event). The generalized security events are managed by the event management tool to provide for a comprehensive security overview of activity within a given computer system. A forensic statement of the activity is generated, and the management tool can respond in a variety of ways including: immediate alerts to security personnel, offline generation of security reports, and the like.
With the growing popularity of the Internet, computer networks continue to become increasingly distributed, in the sense that users initiate events not only within a single computer system, but also across multiple interconnecting systems that utilize different operating systems. Hence, the event management tools currently available are unable to resolve attributes of events that are initiated remotely or acted upon remotely, i.e. external to a given system.