Understanding Event Management

Monitor the health of business services and infrastructure using a single management console and respond appropriately to any issues that come up. Event Management provides intelligent event and alert analysis to ensure continuity of your business service performance. Event Management receives and processes events via the MID Server.

What Event Management can manage

Event Management can manage:

Discovered business services
A Business service is a definition of interrelated CIs from the CMDB. The discovered service, from Service Mapping, includes a business service map with: mapping relationships, an impact tree showing outage severity, active alerts, related alerts, and CI properties. Business service information is discovered by Service Mapping. The mapping information appears on dashboards, the Alerts list, and the Events list.
Manual services
A Manual service is a business service created by selecting CIs to include in the service. Manual service information appears on dashboards with drill-down capability to a map view.
Technical services
A Technical service is a dynamic grouping of CIs, based on some common criteria. For example, you can create a technical service based on location for all web servers or all databases in Ireland.
Alert groups
Alert groups show sets of alerts for ease of maintenance. Alerts groups are not the same as automated alert groups.

Architecture

As events occur on various systems, the MID Server connector instance sends the events to the instance. Event Management generates alerts, applies alert action rules, and prioritizes alerts for remediation and root cause analysis. View this information on dashboards, the Alert Console, or from a service map.
Figure 1. Event Management architecture

Workflow

Event Management receives external events and generates alerts based on event and alert action rules. Events are sent directly to your instance using an email server, script, SNMP trap, or a web service API. The corresponding alerts appear on dashboards for tracking and remediation purposes.

As the computer, software, or service generates events, the MID Server polls the external event tracking tool. The MID Server, which maintains a connection to Event Management, sends the information to your instance for storage, processing, and remediation.

The instance stores events in the Event [em_event] table and attempts to generate alerts based on pre-defined rules and event mappings. Regardless of whether an alert generates, the original event is available for review and remediation. Alerts generate according to the following process flow:

  1. Find the best matching event rule for an event. If the source of the event matches the source specified in an existing rule, then a rule is matched. Also, if the event matches the optional rule Filter and the event additional_info value matches the rule Additional Information filter. A rule without any filter is ignored, for example the source filter is missing or the Additional Information filter is missing. If multiple rules are defined for the same type of event, use the rule Order to determine the order of rule application.
    • If the rule Ignore check box is selected, no alert generates. However, the event is still available for review and remediation.
    • If transforms have been defined, apply them. If compose parameters are set, apply the additional content to display to the user in the alert.
    • If Active in the threshold section is selected, accumulate all events until the threshold is met. Generate a single alert for the events.
  2. Search for an event field mapping even if there was no event rule. If an event field mapping is found, apply the mapping information. If the event has no severity after the event transformations, retain the event for reference purposes and do not generate an alert.
  3. Search the Alert [em_alert] table for a matching message key. If a matching message key exists, update the alert according to the event information. If a matching message key does not exist, create an alert. If another event has the same matching key, associate the events under a single alert. For root cause analysis purposes, bind the alert to a specific CI.
Figure 2. Event workflow
Event Management event workflow

Event Management and Service Mapping

Event Management uses discovered services from Service Mapping and automated alert groups with root cause analysis (RCA) to expedite alert resolution.

When an event from an external source arrives from the MID Server, script, or web service API (not pictured), Event Management locates CI information for alert generation and CI remediation. CI information is stored in the CMDB from sources such as Service Mapping, Discovery, third-party sources, and manual population. You can use correlated alert group and root cause analysis information to resolve the issue.

Figure 3. Event Management interoperability