The present invention relates to a method and apparatus for processing network events to reduce the number of events to be displayed to an interested user (e.g. displayed on a screen or printed on a printed sheet).
Network management applications commonly monitor a number of conditions on the network. If the application detects unusual or undesirable conditions, it creates an event. In the context of this invention an ‘event’ is a record which describes a condition on the network which has been detected. A list of the detected events is displayed to a user in an event log. This event log is intended to be of assistance to the user of the application in diagnosing problems with the network.
The event log is normally accessible from either a processor forming part of the network controller such as the server itself, or on a network manager's computer or workstation. The event log comprises a list of events which have been detected on the network which should be drawn to the attention of the network manager. Generally speaking, these events are problems which have occurred with the network as is well known. Thus the problem may be with the particular devices on the network, or on the links between the devices.
However, typically a single problem with the network can produce a several unusual or undesirable conditions and thus several events are displayed to the user. For example, a fault with one link may cause events (errors) to be shown in respect of many devices and links linked to that link although there is only one problem, i.e. the problem with that link. This can make it difficult for the user to diagnose the actual problem.
FIG. 1 shows the standard method for displaying events. Events are produced by a number of sources within the application and are immediately displayed in the event log.
Typically, a network management system will use a number of methods for deciding when to produce an event. One technique commonly used is for the network management system to send an ‘ICMP ping’ (ICMP is “internet control management protocol”) to a network device. If the device does not respond to the ping then the network device may well not be functioning properly and so an event is created. Another technique is to use SNMP (“simple network management protocol”) to retrieve information from a network device. If the values retrieved via SNMP indicate an unusual condition then an event is created. A third technique is to create an event whenever the network management system receives an ‘SNMP trap’. These are sent to the network management system by network devices if the network device detects an unusual occurrence on the network.
Network management systems commonly monitor a number of metrics on a network link in order to spot when a problem occurs. These metrics are usually based upon standard MIB variables (see rfc 1757—Remote Network Monitoring Management Information Base Version, rfc 1213—Management Information Base for Network Management of TCP/IP-based Internets, rfc 1493—Definition of Managed Objects for Bridges, rfc 1516—Definition of Managed Objects for 802.3 Repeater Devices). Each metric has a threshold associated with it and if the value exceeds this threshold an event is generated.
Two assumptions are made about ‘events’.
Firstly, if a condition is detected on the network and an event is generated, then the network management system will not generate another event until the condition which caused the first event has disappeared. This means for example, that if a device stops responding to ICMP pings, then only one event is generated to record this fact. A second event is only generated if the device starts responding again and then stops responding again.
The second assumption is that it is always possible to determine if an event is ‘resolved’. An event is considered to be ‘resolved’ if the original condition which caused the event has gone away.
Note that with minor modification the preferred method of the invention is applicable to systems which do not conform to these assumptions; these assumptions are merely made to clarify and simplify the description of the invention.