A conventional event notification management system (ENMS) receives event notifications which describe events such as login attempts at remote devices. Upon receipt of the event notifications, the conventional ENMS stores the event notifications in a database. Some of the event notifications arrive via User Datagram Protocol (UDP) without any prompting by the conventional ENMS; examples of such event notifications which describe “push” events are Syslog messages from Unix-based firewalls, routers and switches. Other event notifications arrive over TCP/IP as a result of the conventional ENMS actively reading a data log on a remote device; examples of such event notifications which describe “pull” events are those stored locally on a Windows®-based device.
Certain events will trigger alerts based on pre-defined alert rules within an ENMS, which alerts are messages which notify an administrator of a high risk of malicious intent on part of a particular user. The conventional ENMS includes an alerting system which performs an alert filtering operation on each event notification stored in the database. The alerting filtering operation determines whether the event described by the event notification requires the alerting system to generate an alert concerning a user associated with the event. For example, the alerting system will look in the database for event notifications describing login failures on a Microsoft Exchange® server.
The conventional ENMS also retains the event notifications in the database in order to analyze long-term trends and comply with reporting requirements.