EFe Event Management System

Efe Event Management System V.0.5

Author Description Date

Aykut Güven EFEM First Versiyon 24.01.2018

Index

Login to EFEM ................................................................................................................................................ 3

All Incidents / Problems and Events on a single screen ................................................................................ 4

Event Creation with Integrations .................................................................................................................. 6

Event Creation by Correlation ....................................................................................................................... 7

Simple Status Correlation .......................................................................................................................... 8

Complex Correlation .................................................................................................................................. 9

Event Console .............................................................................................................................................. 11

Apply Filter .............................................................................................................................................. 12

Case ..................................................................................................................................................... 15

Demand ............................................................................................................................................... 15

Solution................................................................................................................................................ 15

Login to EFEM

Run the Console application to log in to the EFEM Console. An input screen as shown below will appear.

You can log in to the system by using EFEM Manager's previously created user info on EFEM Server.

EFEM is a system running as a Client/Server. The Event Console is the Client part of the system. The

Server to which the Client to be connected must be specified on the Console. For this, you can enter the

Server information to be connected by pressing the Server button on the EFEM login screen. When the

Server button is pressed, the following screen appears.

The IP address or the Computer name of the EFEM Server to be connected must be written imto the ‘Server box’.

‘Port box’ is filled with the value of the port to be connected. Port value for EFEM is 9000.

Press ‘Save Config’ button to save the information. It is sufficient to do this once. The information is stored permanently.

If for any reason the server is to be replaced and a connection to a different EFEM Server is required, the above described operations are to be repeated.

All Incidents / Problems and Events on a single screen

With Efe Event Management (EFEM), you can easily collect all of your events on a single screen. With its

flexible structure, streaming and viewing events on EFEM is a convenience that anyone can do without

difficulty.

Thanks to EFEM's intelligent structure you will not be overwhelmed by messages, if an event was created

before, it will not be created again and again so you will be sure that every event you see on the screen is

important and there is only one.

EFEM automatically recalls the incoming events. You will then be visually alerted from the color code of

the incoming event. You can create as many windows on EFEM as you like, so you can watch incoming

events individually in each window.

With EFEM Chart type indicators, it is possible to create components like in table structure. You can see

the grouped data as Pie or Bar chart on the same screen.

A screen where you can see Chart components is shown in below. The contents are animated, so

changes made on EFEM Server are visible directly on the console.

Creating of Events at EFEM

EFEM creates events in 3 different ways.

1- Manually by operator.

2- With external systems sending information to EFEM through integration.

3- Via Correlation rules created on EFEM.

These methods will be explained later on.

Event Creation by Operator

A new event can be created manually from the by pressing the Create event button located on the

Main Menu. It is possible to open manual events based on the analysis that the operator has done on the

opened events. This creates a collaborative work environment between the teams.

Fields marked with asterisks are compulsory. The Custom Field fields on the right side of the screen are

reserved for special purposes. These special areas can be used especially if different areas are needed.

These special areas are limited to 8 pieces.

Event Hash is created by EFEM. If it is full, EFEM will not touch this area but fill it if it is empty. This field

is like the cue of the Event. If a new event is created, this event will not be created if there is an open

event similar to the Hash.

Suppression Details is a readonly section. If a message is suppressed due to Correlation, these fields are

automatically filled. Thus, the event or the rule that changes this event can be seen through this field.

Event Creation with Integrations

With EFEM’s open architecture, it is possible to create events automatically through the known and used

curl application or via REST API. Thus, you can collect your events from all your sources on EFEM.

System, Network, Application, Change, etc. ... without worrying about what your events are, you can

colletthe all easily in one source.

An example of an event with Curl is given below.

curl -H "Content-Type: application/json; charset=UTF-8" -X POST -d

"{\"EventHash\":\"\",\"Status\":\"New\",\"Source\":\"HOST_SOURCE\",\"Severity\":Warning,

\"Category\":\"Incident\",\"Message\":\"MY_FIRST_MESSAGE_TO_EFEM\",\"Details\":\"\"}"

http://EFEM_HOST_IP:9000/EventGateway/CreateEvent

Eğer curl dışında kendiniz doğrudan bir event yaratmak isterseniz. EFEM Rest API’ yi kullanabilirsiniz.

If you want to create an event directly yourself without using the curl. You can use EFEM Rest API.

http://EFEM_HOST_IP:9000/EventGateway/CreateEvent

It is enough to POST the Event in JSON format to URI. The Event thus posted should immediately drop in

the Event Console. Another way is to look at the Server Console. All incoming events appear as logs in

the Server Console.

Event Creation by Correlation

New events can be created by EFEM with the type of actions ‘Create an Event’ defined in the Complex

Correlation Rule. These are automatic Events created by EFEM in certain situations.

For example, if there are 5 open events related to a Source, create an Incident type Event related to this

Source.

In correlations of Complex Correlation Type it is possible to automatically generate a new event

depending on the circumstances. The parameters of the event to be created are entered manually. As

you can see in the above screen image.

It is possible create events and insert these events into the correlation. Thus, not only the events coming

from external systems but also the events generated by EFEM are correlated. This method makes it

possible to evolve events.

The details are explained in the Correlation module.

Event Creation with Correlation Rules

EFEM has a flexible and powerful correlation module. By analyzing incoming events, you can modify

events and create new events. You can access the correlation module with the buttons .

There are two different types of correlation. These are categorized as;

1- Simple Status Correlation

2- Complex Correlation

Simple Status Correlation

It is used to define correlation in a simple and fast way. It can be created in two different types, Node

and Event based.

Root Node indicates the source that will trigger the correlation. If an event defined as Root Node comes.

This event draws all the events for the Node given as Symptom to the state specified in Action. The same

logic applies in cases defined as Root Event and Symptom Event.

Complex Correlation

Complex Correlation is used in more comprehensive correlation needs. Queries can be written according

to all the fields in the event. As a result of these queries, more than one action can be taken.

Field explanations are given below.

Name: Correlation name. It is advisable to give meaningful names.

Time Window: The time window tells EFEM how far backwards it should look. If 0 is specified, this

parameter is disabled.

Run Every X Seconds: Correlation should be specified when running in seconds.

When: The query required to trigger correlation is written here.

And Count is> than: This field must be defined if the correlation should work for the return value of the

query ‘when’ is greater than a certain number when the result.

Impacted Events: The query should be written here for the events that the correlation will affect.

*** Test When Condition and Test The Impacted Condition buttons are used to check for typos. It is

important that you check these buttons after you have written the query.

Actions: Runs actions defined when correlation works. Each action makes some changes on events in the

background.

More than one Action can be defined in a correlation. Actions that can be defined are described below.

1- Change Status of Events

2- Create an Event

3- Send Email

4- Execute a Script

Event Console

Event Console is a table showing events. Events coming to EFEM are colored according to Severity values

and they are displayed in Event Console. More than one Event Console can be opened in an application.

Actions can be performed with the buttons located on the Event Console. These buttons are;

Create Event: Opens the Event Details form to create a manual event.

Open Details: Shows details of a selected event on the Event Console by opening the Event Details form.

Refresh Events: Updates the data in the Event Console. If it is desired to update automatically, the

option "Enable Auto Refresh" can be selected.

Delete Selected: Deletes one or more event selected.

Close Window: Closes Event Console.

Apply Filter: The Event Console has a detailed filter feature. A custom filter for each Event Console can

be instantly defined. By selecting the previously defined filters (View), events can be listed in accordance

with the specified criteria.

The Apply Filter is described in detail in the relevant section.

Apply Filter

Apply Filter Performs a critical action on the Event Console. In order to effectively manage events in the

EFEM system where many events occur, it is important to use filters or Views.

When the Apply Filter button is clicked, the below screen appears.

The user can directly write the Filter Expression to the textbox. Expressions written here are based on

the values of the event fields. For example, from the Performance events coming from Bussion machine,

show events related to the disk;

Source==”Bussion” and Category==”Performans” and Message.Contains(“Disk”)

It is enough to write such an expression.

If we look at the functions of other buttons;

Test Expression: Checks the syntax of the expression being written. It is a good practice to check the

accuracy after every expression.

Apply Filter: Written Expression is applied to the Event Console via Apply Filter.

Clear Filter: Removes an existing Filter.

Close Window: Closes the Filter window.

EFEM tanımlanmış Viewleri gösterir sadece seçerek filtre olarak uygulayabilirsiniz.

If filters are desired to be permanent, it is possible to save the filters as View and then use them only by

selecting them. It is enough to click the Save As View button and give the view a meaningful name. To

use a previously defined view, it is enough to hit the Views button. You can apply previously defined

views as filters by selecting them.

The functions of the buttons on the screen are explained below.

Open View: Event Console opens the selected View to apply.

Refresh View: Updates the view table.

Delete View: Deletes the selected View.

Close Window: Closes the window.

Access Event details with one click

You can reach the details of the event by clicking on the events that were categorized. This allows you to

see the event information in detail and/or change the status of the event.

EFEM aims to show the information in a clear format with a clean and simple screen view. The fields on

the event are automatically filled by the source from which the Event was sent.

A Sample Use Case for EFEM

Case

Sample Bank uses tracking systems of different vendors in IT infrastructure. The Server Mon software for

Servers and Application Mon software to monitor its applications. Security-related events are monitored

by Security Mon software. Incident, Problem, Change processes are managed with the ITSM tool.

Demand

Sample Bank wants to collect events of these applications in one place, create events in the Incident

category by operating the correlation rules on these collected events, and create events in the Problem

category from the events in this generated Incident category. These Incident and Problem type events

will be created by the second level technical staff who will again be registered to the ITSM tool to more

effectively identify problems.

Solution

Events from different tools will be transferred to EFEM through integrations. Thus Events from all

different sources will be collected on the EFEM system. Correlation rules to be defined on the EFEM

system will generate new events in Incident type. Problem type events will be generated by processing

the Incident type events with correlation again. These generated events will be sent back to the ITSM

tool and related records will be opened by EFEM on the ITSM tool.

Correlation rule sample

Rule 1 :

If;

When : Source==”Bankacılık Servisi” and Category==”Application” then

Action : Create an Event of the Incident Type.

Rule 2:

If;

When : Source==”Bankacılık Servisi” and Category==”Infrastructure” then

Action : Create an Event of the Incident Type.

Rule 3:

If;

When : Source==”Bankacılık Servisi” Category==”Incident” more than 1 then

Action : Create an Event of the Problem Type.

The Banking Service is consisting of both software and hardware. Hundreds of events related to this

Service are reduced to more refined Incident events with the help of correlation. Incident events are

reduced to a single Problem Event event at the end of the day. Thus, the analysis of the events is done

automatically with an intelligent system and a serious work load is taken over the operation. At the same

time critical situations are detected in advance and a service interruption is prevented.