Administer events

An event is a notification from one or more monitoring tools that indicate something of interest has occurred, such as a log message, warning, or error.

Event process flow

Event Management receives external events and generates alerts based on event and alert rules. Events can be sent directly to your instance using an email server, script, SNMP trap, or a web service API. The corresponding alerts appear on dashboards for tracking and remediation purposes.

As the computer, software, or service generates events, the MID Server polls the external event tracking tool. The MID Server, which maintains a connection to Event Management, sends the information to your instance for storage, processing, and remediation.

Event fields uniquely identify each event. Event Management uses this information to determine whether to create a new alert or update an existing one. By default, each event is uniquely identified by the Message Key. If the Message Key is not populated, a concatenation of the Source, Type, Node, Resource, and Metric Name fields are used and these fields populate the Message Key. If identifiers are not supplied in the event, you can add them with event rules.

The instance stores events in the Event [em-event] table and attempts to generate alerts based on pre-defined rules and event mappings. Regardless of whether an alert generates, the original event is always available for review and remediation. Alerts then generate according to the following process flow.

  1. Find the best matching event rule for an event. If the source of the event matches the source specified in an existing rule, then a rule is matched. Also, if the event matches the optional rule Filter and the event additional_info value matches the rule Additional Information filter. A rule without any filter is ignored, for example the source filter is missing or the Additional Information filter is missing. If multiple rules are defined for the same type of event, use the rule Order to determine the order of rule application.
    • If the rule Ignore check box is selected, no alert generates. However, the event is still available for review and remediation.
    • If the Transform check box is selected, apply the transforms. If transform compose parameters are also set, apply additional content to display to the user in the alert.
    • When the Threshold check box is selected, accumulate all events until the threshold is met. Generate a single alert for the events.
  2. Search for an event field mapping even if there was no event rule. If an event field mapping is found, apply the mapping information. If the event has no severity after the event transformations, retain the event for reference purposes and do not generate an alert.
  3. Search the Alert [em_alert] table for a matching message key. If a matching message key exists, update the alert according to the event information. Otherwise, create an alert. Later, if another event has the same matching key, associate the events under a single alert. If possible, bind the alert to a specific CI for root cause analysis.
Figure 1. Event process flow
Event Management event workflow