The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by their inclusion in this section.
The vast majority of organizations today rely on computer systems and networks for an increasingly wide variety of business operations. As the reliance on these systems networks has grown, so too has the importance of securing those computer systems and networks against internal and external security threats. However, the breadth and complexity of security threats targeting such computer systems and networks is far and wide and ever growing. To monitor and address these security threats, organizations increasingly rely on sophisticated computer network security applications and hardware such as firewalls, anti-virus tools, data loss prevention software, etc.
One aspect of many network security applications involves processing event data generated by monitored components of a computing environment. For example, a network security application may detect and log events generated by network devices, system software running on various devices, application software, among other event-generating components. The types of events generated by these and other components may correspond, for example, to instances of network messages sent and/or received by the devices, to device and/or application status messages, error messages, and so forth.
In computing environments which include virtualized computing resources, one source of event data is often hypervisors running on one or more physical machines within the environments. At a high level, a hypervisor is a software or firmware component that manages the creation and operation of one or more virtual servers on host hardware. Each virtual server running on a hypervisor may share hardware and software resources with other virtual servers running on the same hypervisor. During operation, a hypervisor may generate event data relating, for example, to the creation of virtual servers at the hypervisor, to the performance of virtual servers managed by the hypervisor, to error and status information related to hosted virtual servers, etc. However, computing environments might include any of several different types of hypervisors, and may even include different types of hypervisors within the same environment, and the way in which event data is generated and made accessible generally is not uniform across different types of hypervisors. As such, accurately analyzing and responding to hypervisor-generated event data in a consistent manner presents many challenges.