Computer systems, such as servers and desktop personal computers, are expected to operate without constant monitoring. These computer systems typically perform various tasks without the user's knowledge. When performing these tasks, the computer system often encounters events that require a particular action (such as logging the event, generating an alert for a particular system or application, or performing an action in response to the event). Various mechanisms are available to handle these events.
A computing enterprise typically includes one or more networks, services, and systems that exchange data and other information with one another. The enterprise may include one or more security mechanisms to safeguard data and authenticate users and may utilize one or more different data transmission protocols. At any particular time, one or more networks, services or systems may be down (e.g., powered down or disconnected from one or more networks). Networks, services or systems can be down for scheduled maintenance, upgrades, overload or failure. Application programs attempting to obtain event data must contend with the various networks, services, and systems in the enterprise when they are down. Additionally, application programs must contend with the security and network topology limitations of the enterprise as well as the various protocols used in the enterprise.
Existing operating system components, services, and applications generate events having a variety of different formats. Thus, the event data format may be quite different from one event source to another in the same enterprise. In existing systems, a single system receives events from multiple event sources and provides the events to the appropriate application or device that utilizes the event data. The use of this single system requires the event interpretation activities and the event response actions to be understood by the administrator of the enterprise. In enterprises with a large number of event formats and a large number of event response actions, understanding all event formats and all response actions can place a significant burden on the administrator of the enterprise. Further, each time a new event format is added to the enterprise (e.g., through the addition of a new event source) or a new event response action is created, the administrator must learn the new event format or new response actions.
The system and method described herein addresses these limitations by separating the handling of the event interpretation activities from the handling of the event response actions. The system and method also provide a standardized header format for event data which is used for all event sources in an enterprise.