Surety is performing system maintenance this weekend. Electronic date stamps on new Prior Art Database disclosures may be delayed.
Browse Prior Art Database

Methods for Advanced Event Correlation

IP.com Disclosure Number: IPCOM000010286D
Original Publication Date: 2002-Nov-18
Included in the Prior Art Database: 2002-Nov-18
Document File: 2 page(s) / 51K

Publishing Venue




This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 50% of the total text.

Page 1 of 2

Methods for Advanced Event Correlation

  A correlation engine is a high speed filtering engine for correlating events using state-based and stateless rules. The specification of a rule comprises a number of rule-specific parameters such as threshold limits, one or more predicates for matching events relevant to the rule, and one or more optional actions to take place once the rule fires.

    An example of a correlation engine is described in US patent No. 6,33,139. This document summarizes various improvements to the correlation engine described in the aforesaid patent.

    One such improvement is the addition of a state-machine based correlation rule that collects events that match a filter predicate for a specified time interval and that forwards all collected events to the next processing step at the end of the time interval. This rule can be used to collect similar events so that they can be subsequently processed all at once instead of one by one. A use case is a reduction of events to a management console by collecting a set of rules and forwarding a single "summary" event.

    Each state machine holds a collection of events that match its predicate until the rule triggers. Depending on the correlation function performed by the state machine, one or more of these events may be either forwarded or discarded, but only at the time the rule triggers. A flush mechanism can be employed as a way for the correlation engine to forward such "held" events in cases when the correlation engine is properly shutdown. This prevents loss of events when the events are correlated but not yet completely processed by the respective state machine. The mechanism may be is as follows: the correlation engine calls the "flush" method in each active state machine; and, the flush method forces each state machine to immediately trigger, forwarding all events currently stored or held.

    During runtime, there are a number of events that are held in the correlation engine within state machine rules. When a rule triggers, based on the correlation scheme, kept events for that rule are either discarded or forwarded. In the event of a correlation engine crash, all "held" events will be lost. A persistence mechanism can be employed as a way to recover such events so that they can either be played back to restore the correlation engine to its pre-crash state, or simply forwarded. The persistence mechanism may be as follows: each event has an "in use" counter; when an event is correlated into a rule, the "in use" counter is incremented; when an event is no longer needed by a rule (at trigger time), the "in use" counter is decremented; if the "in use" counter has value of "0" and is incremented, then the ev...