The present invention relates to managed computer networks. More specifically, the invention relates to systems and methods for managing the status of computer networks.
The stability and reliability of a company's computer network are essential for many companies that rely on their computer networks to support the company's day-to-day operations. In order to manage the increasingly large and complex computer networks, a method of recording and saving important events on each server on the network is usually required. This requirement was recognized early in the development of computer networks and all significant operating systems currently in use provide for the recording and saving of important events. The important events are saved in one of a number of data format protocols such as, for example, the syslog protocol or the SNMP protocol. Most network devices such as, for example, servers, routers, bridges, and the like may be programmed to save and transmit significant events and usually follow one of the data format protocols using one of the network transport layer protocols such as, for example, TCP or UDP. In a large network, it is not unusual for hundreds or thousands of network devices such as servers, routers, bridges, and the like to send log information about significant events.
In order to manage and distill the vast amounts of log data, Security Information Management (SIM) software is usually installed to manage the log data generated on the network. The SIM software may be a stand-alone product such as Arcsight, for example, or may be part of a network management software such as, for example, HP Openview from Hewlitt-Packard. Each SIM product uses a specific protocol to receive security data from the network. Some network devices can send security data to only one destination while others can send to multiple destinations thereby enabling multiple network-dispersed SIM products to receive the log data. Furthermore, some protocols require modification of the data packet while the data packet is routed through the network. The wide variety of methods used by the SIM products makes evaluation and testing of SIM products on a live network very difficult. Furthermore, in large networks, several SIM products may be installed to support different network management functions for different support groups.
Protocols such as syslog and SNMP provide for a common format for reporting basic system events by network devices and servers to a variety of SIM products but these products do not consolidate or distill the raw data into useful information that a system administrator can use to intelligently manage the computer network. Furthermore, system administration is usually not done from a central location by a single group. Instead, the various system administration functions such as network engineering or network security are done by different groups that may be geographically distributed throughout the company's network. Each group must receive timely and accurate data to perform their function. Therefore, there remains a need for systems and methods that provide the relevant event logging data to each of the system administration functions that manage the computer network.