Embed Size (px)
DESCRIPTION
An overview of Topology Based Event Correlation (TBEC) and its features
Citation preview
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Session ID: BTOT-WE-1000-9 Twitter hashtag #HPSWU
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Speaker Name: Dave Trout, HP BSM Customer Assist TeamDate: 30-Nov-2010Session ID: BTOT-TU-1600/2
HP Operations Manager iTopology Based Event CorrelationConcepts and Operation
3 HP Confidential
Agenda
– TBEC in action (What does it do?)
– Basic concepts of TBEC
– Using the Correlation Manager
– Automatic cross-domain correlation
– New TBEC features in OMi 9.0
– Summary
TBEC = Topology Based Event Correlation
TBEC in actionDemo
TBEC Basic Concepts
6 HP Confidential
BSM Service Health hierarchy
KPIs
Health Indicators
OMi Events with Event Type Indicators
OMi Events
Servic
e Hea
lth
Syste
m
OM SiS BPM RUM NNMi
3rd Party Mgrs
Event
Man
agem
ent
7 HP Confidential
– ETI is an attribute of an event
– Indicates concise status of managed infrastructure element
– Set based on a hint* in the event or via server based mapping filters
– Are defined per CI Type• Only pre-defined ETIs are evaluated
when events arrive
• Valid for all derived CI Types
ETI = Event Type IndicatorCI Type Example ETIsDatabase OracleReadWriteError:Occurred
ArchiveMode:EnabledMemorySortRate:NormalOracleSessionCount:HighReplicationStatus:BrokenSQLQueryPerformance:Normal
Node UnexpectedReboot:OccurredBackupJob:FailedPingAvailability:UnavailableLogicalDiskFreeSpace:NearCapacityMemoryUsageLevel:High
Router LinkStatus:UpNodeState:Down
Custom Attribute “EventTypeIndicator” = “<ETI name>:<ETI value>”*
8 HP Confidential
Correlation requires ETIs
KPIs
Health Indicators
OMi Events with Event Type Indicators
OMi Events
OM SiS BPM RUM NNMi
3rd Party Mgrs
Only Events with Event
Type Indicators can be correlated
Only Events with Event
Type Indicators can be correlated
Event Type Indicators are used to
define correlation
rules
Event Type Indicators are used to
define correlation
rules
9 HP Confidential
Cause and symptom events
– Something goes wrong in your environment
– Monitoring reports multiple problems via events
– Usually just one of the events describes the cause of the problem
– Others are just symptoms
– Fix the cause and also the symptoms go away
In a nutshell, TBEC identifies CAUSE and SYMPTOM events
10 HP Confidential
Topology: the “T” in TBEC
Cause and symptoms
are one part of a rule
Cause and symptoms
are one part of a rule
The other part is the CI
type topology
The other part is the CI
type topology
Events are correlated if the topology and Event Type Indicators are matching
11 HP Confidential
Correlation requires relationship
Event1Ping:Unavailable
Event1Ping:Unavailable
Event3Ping:Unavailable
Event3Ping:Unavailable
Two events, CIs not within the same topology => no correlation
Cause and symptom ETIs set by events AND cause and symptom CIs within the same topology => events are correlated
Event2 LinkStatus:Down
Event2 LinkStatus:Down
Symptom
Cause
12 HP Confidential
Time window for correlation– Even if cause and symptom and the connecting topology match,
events might not be correlated
– Events have to arrive within a certain time window
• A time window starts when the first cause or symptom event arrives that cannot be correlated with any other event
– Default time window is 16 minutes
– Each correlation rule can have its own time window which overrides the global setting
Time
Event
Correlation Window No
correlation
Event
13 HP Confidential
A simple correlation ruleWhat the rule defines:
– IF the system receives an event that sets LinkStatus = Down
– AND IF the system receives an event that sets Ping Availability = Unavailable
– AND IF the Router and Computer are somehow connected (topology)
– AND IF that happens at roughly the same time
– THEN the system will mark the LinkStatus Down event as CAUSE and the Ping Availability Unavailable event as SYMPTOM
14 HP Confidential
TBEC correlation rules – semantics
– A correlation rule shows possible cause-symptom relationships:• If the two events happen within a defined window of time, then correlate. Otherwise
do nothing.
– A correlation rule does NOT say• If I have that cause, then I will see that symptom (impact)
• If I see that symptom, then I must have this cause for it
– One cause can have multiple symptoms (and not all have to appear at the same time)
15 HP Confidential
Usage when defining rules
– A correlation rule must include at least one CAUSE and one or more SYMPTOMs
– Multiple CAUSE specifications are allowed if they reference the exact same CI Type
– A SYMPTOM in one rule can be configured as a CAUSE in another rule (and vice versa)
TBEC Cause/Symptom
16 HP Confidential
Correlation Engine behavior
– A correlation rule triggers when a CAUSE event and any combination of specified SYMPTOM events occur within the correlation time window
– CAUSE and SYMPTOM events can occur in any sequence within the time window
– A rule which would otherwise mark an event as a SYMPTOM will be ignored for the event if it is already marked as a SYMPTOM to a different CAUSE event
– A duplicate CAUSE event which arrives during a correlation window is correlated and handled like a SYMPTOM event
TBEC Cause/Symptom
17 HP Confidential
Browser-related behavior
– If a CAUSE event is assigned to an operator:• Default: Assignment propagates to SYMPTOM events
• option: no propagation
– If the lifecycle state of CAUSE event is changed:• Default : new lifecycle state propagates to SYMPTOM events
• option 1: Disable propagation except for “Close” operation
• option 2: Disable propagation but “Close” operation unrelates SYMPTOMs
– If a SYMPTOM event arrives after a CAUSE event is closed:• Default: Any SYMPTOM events will be correlated (and also closed) until the current
correlation window expires
• option: no correlation, SYMPTOM event is not closed
TBEC Cause/Symptom
Correlation behavior is configured in Platform Settings
18 HP Confidential
Correlation Window – Auto Extend Mode
Time
Event Cause EventAuto Extend Mode = False
Correlation Window
Symptom Event
Time
Event
Cause Event
Correlation
Window
Auto Extend Mode = True(default)
Extended Correlation Window
Symptom Event
Symptom Event
OMi event pipeline
19 HP Confidential
Ru
n T
ime S
erv
ice M
od
elIndicator
Manager Correlation Manager
Event to ETI Mapping
Event Correlation
ContentManager
Event to CI Mapping
Health
Admin View, create and modify correlation rules
Events
If configured, attach HI-Value
to CIKPI calculationBSM Platform
HIValue
EventEventCI
ETIValue
Event
CI
Event
OMi Browser
CIHIValue
HIValue
KPIs
CI
Event
Event
Using the Correlation Manager
21 HP Confidential
Correlation Manager
– Define, deploy, and manage correlation rules• Visualize the topology of correlation rules
• View CAUSE and SYMPTOM events in rules
• View assigned and available Event Type Indicators and their values
• Browse the hierarchy of cross-domain correlation rules
– Access to Correlation Manager is controlled by user role settings
22 HP Confidential
Correlation Manager UI
Causes and symptoms of selected
rule
Causes and symptoms of selected
rule
Available ETIs of
selected CI type
Available ETIs of
selected CI type
List of rules currently defined
List of rules currently defined
CI type topology of
selected rule
CI type topology of
selected rule
23 HP Confidential
What you need to know
– working knowledge of CI Types and the BSM type model
– working knowledge of UCMDB Views
– understanding of Event Type Indicators
– detailed knowledge of the events which you want to correlate• event domain (networking, database, storage, etc.)
• ETIs specified in the events
• event relationships (Cause, Symptom)
Creating TBEC rules
24 HP Confidential
Basic workflow sequence
1. Create new rule using the * button
2. Define rule properties (name, description, time window, etc.)
3. Select a topology (UCMDB) view which includes the CI Types and relationships you want to use in the rule
4. Define CAUSE event(s):• Select a CI Type in the View
• Select an ETI and ETI value from the list of available ETIs and “Add as a Cause”
5. Define SYMPTOM event(s):• Select a CI Type in the View
• Select an ETI and ETI value from the list of available ETIs and “Add as a Symptom”
6. Correlation Manager highlights the shortest relationship path• If a different path is desired, select the appropriate relationship connectors
Creating TBEC rules Creating TBEC rules
25 HP Confidential
Completing rule definition
Rule is valid
Rule is valid
Save when finished
Save when finished
Relations between cause and
symptom CI type are automatically
added
Relations between cause and
symptom CI type are automatically
added
After saving, visualized rule
topology is simplified
After saving, visualized rule
topology is simplified
Automatic cross-domain correlation
27 HP Confidential
Chaining of correlation rules
WebApp
TXAvail:Unavailable
App Server Domain
CI Type
ETI:value
Database Instance Tablespace
Database DomainStorageCapacity:Critical
Logical Volume
Storage Server
Physical Disk
Storage Domain
Utilization:Full
Quota:Exceeded
28 HP Confidential
Relations between correlation rules
– Triggered rules are connected (chained together) at runtime when they include a Cause or Symptom event that• resolves to the exact same CI
• and has the exact same ETI and ETI value
– Chaining is automatic; no configuration is required
– Rules can trigger in any sequence
New in OMi 9.0
30 HP Confidential
New features in OMi 9.0
– Manually relate selected events in browser• CAUSE event is marked from a group of selected events
• Browser shows “Cause” and “Symptom” icons on the events
• does not create a future relationship, i.e. no correlation rule is created
• event lifecycle state changes and user assignment on CAUSE event are also marked on SYMPTOM events
– Create new correlation rule directly from selected events(Correlation Generator)
– Enhance existing correlation rule directly from selected events (Correlation Generator)
31 HP Confidential
Using the Correlation GeneratorCreating a rule from events
If two events often occur at the same time, and if one is always the cause...then a new correlation rule can be created by
• selecting the two events and• selecting Create Correlation Rule from the context menu
32 HP Confidential
Correlation Generator wizard– User selects CAUSE event
– Generator retrieves relationships between cause CI and symptom CIs from model automatically• shortest route automatically selected
– Cause and symptom ETIs from selected events automatically added
– Generates a valid correlation rule
Note: No UCMDB view required!
33 HP Confidential
Correlation Rules in OMi
– OMi delivers artifacts like correlation rules, ETIs, HIs, KPIs, tool definitions, etc. using Content Packs
– Content Packs are included with OMi license
– OMi 9.0 Content Packs:• Infrastructure (includes system, cluster and virtualization artifacts)
• Oracle
• MS SQL Server
• J2EE App Server (WebLogic, WebSphere)
• Exchange
• Active Directory
– 175+ correlation rules are provided
34 HP Confidential
TBEC delivers operational efficiency– Operators can quickly identify cause events in the browser
– Operators work on cause events instead of wasting time on multiple symptom events
– Fewer invalid escalations to cross-domain tier 2/3 specialists
– Escalations which DO occur are sent to the right specialist
– Correlation rules continue to work as the infrastructure changes since they are based on discovered topology
– Rules can be created directly from events in the browser
– Automatic “chaining” of correlation rules to cover cross-domain scenarios
– Lower cost of event/fault management
Thank you for attending!
Continue the conversation with your peers at the HP Software Community hp.com/go/swcommunity
