14 Replies Latest reply on Jun 22, 2010 5:10 PM by bshopp

    Event Correlation engine for ORION?

      Hi folks,

      New to the forums but veteran Network Managementarian and long time SW customer. We are about to deploy the full suite of ORION modules so looking forward to tuning things the way we want over the next few months. My question to SW developers is whether or not event correlation is on the development horizon? It would, as I'm sure everyone would agree, be the holy grail for this suite of apps.

      Thanks
      Colly
        • Re: Event Correlation engine for ORION?
          byrona

          Colly

          I have also been working with network monitoring software for some time now and have always enjoyed the concept of event correlation.  However, in my experience all of the products that claim to have that capability never seem to deliver on it very well... at least not without a bunch of manual configurations that must be constantly maintained. 

          This brings me to my question for you; which products have you worked with that have the type of event correlation that you are interested in?

            • Re: Event Correlation engine for ORION?

              Hi byrona

              We have trialled EMC SMARTS (N-Layers) in the past and I would agree that while great technology (and hugely expensive) it requires a lot of manual configuration and constant attention particularly when building service models. The real reason I'm asking SW about this is that HP came into me recently re: their new invocation of NNM and its event correlation features and this is the only feature it has that SW suite does not...

              Colly

                • Re: Event Correlation engine for ORION?
                  denny.lecompte

                  We hear "event correlation" a lot.  But when I drill down with people, I get a variety of answers on what the term means.  For you, what is event correlation?  What business problems does it solve.  What does it look like?

                    • Re: Event Correlation engine for ORION?

                      Hi Denny,

                      Yes it does get mentioned a lot. Event correlation to me would be a system that correlates alerts and data from multiple sources (i.e. SNMP traps, syslog etc from multiple vendor platforms) to provide root cause analysis for a network event/fault. In general I would expect the system to suppress alerts and provide intelligent consolidated alerting to isolate root cause during topology changes on the network caused by hw/ or WAN faults. The business problems I would see it solving are reduction in operational support overhead although I'm not sure how quantifiable this is.... or even if its a problem per se! Given that SW now offers us a consolidated view of the network (rather than the 4 systems we had previously) we will benefit from reduced operational support in an case... I guess I was just wondering if SW were looking at this area of NetMan.

                      Regards,

                      Colin

                      • Re: Event Correlation engine for ORION?
                        mr.e

                        Denny,

                        I recently took over the administration of our Orion NPM/IPAM tools for my firm.  We have almost 150 offices of all sizes (large, medium, small).  The issue of correlation interests us quite a bit, as we contemplate the thought of replacing the alerting we receive from NetView with Orion NPM.  I glanced the Advanced Alerts document and checked out the video posted.

                        I tried to setup some alerts in Orion NPM, but also found the process to be quite time consuming and cumbersome, especially the correlation.  My mind just gets overwhelmed by the dependencies we have.  I almost wish that there was a "drag & drop" method.  It would still be time consuming but at least I would not have to do so much typing.  Just wishful thinking???

                          • Re: Event Correlation engine for ORION?
                            denny.lecompte

                            newkidd2,

                             

                            It's not wishful thinking.  It's something we need to improve in the relatively short-term.  More details when I have more details that I can share.

                              • Re: Event Correlation engine for ORION?
                                smartd

                                If you did nothing but add all the scripting functions available in the open source Simple Event Correlator, that would be very helpful. A Library of syslog events or traps are critical and need to be tracked would be helpful.

                                -=Dan=-

                                • Re: Event Correlation engine for ORION?

                                  ...just to continue with the thread of "what do people really want"...

                                   It's going to be tricky to build some form of EC system that would be generalist enough to satisfy a wide enough group to make it worth doing...a few companies have tried. Just the effort to examine the way that a processing language should be structured seems daunting. The IBM TEC3.8-3.9 releases used Prolog (!) as a language for describing network events. This is flexible but hard....SEC uses regex which I think people will generally find pretty cryptic as well? After all if you have an Event Processing Language thats hard to learn, needs an expert or is simply obscure, then the problem gets worse not better. Perl seems to be a better choice?

                                  Then there is the way to integrate this...could I suggest that maybe an option for Orion in the short term might be to provide explicit ways to hook existing third-party tools up...there are a few out there that seem quite good but the catch is hooking the output of the correlation engine up to the SNMP tool in a way that makes it look integrated. I want one screen providing the main view. The engine takes care of all the nasty stuff and presents a much reduced stream of 'intelligent events' plus 'actions', but the point here is that it has to present these to what exactly and how...in order to get the desired benefit. I suspect that this is where the real benefit might lie for SolarWinds. Kind of a way to see how it might be used in real systems without wasting much effort.

                                  geoff

                                  New Zealand

                                    • Re: Event Correlation engine for ORION?
                                      MagnAxiom

                                      For me, just simple parent/child relationships would go a long way toward "even correlation".  If my remote site goes down because of the WAN router, have Orion be smart enough to realize that for the 40+ devices behind that router are down BECAUSE of the router outage, and not spam me with 41 emails about all the site nodes going down.  A single email detailing the entire site is down based upon the router being down would be great.  I understand that things can be done via Advanced Alerts to "mimic" this behavior, but it is labor intensive and quickly becomes a monumental task when you have a lot of field sites.