EFe Event Management System - idea...
Transcript of EFe Event Management System - idea...
EFe Event Management System
Efe Event Management System V.0.5
Author Description Date
Aykut Güven EFEM First Versiyon 24.01.2018
Index
Login to EFEM ................................................................................................................................................ 3
All Incidents / Problems and Events on a single screen ................................................................................ 4
Event Creation with Integrations .................................................................................................................. 6
Event Creation by Correlation ....................................................................................................................... 7
Simple Status Correlation .......................................................................................................................... 8
Complex Correlation .................................................................................................................................. 9
Event Console .............................................................................................................................................. 11
Apply Filter .............................................................................................................................................. 12
Case ..................................................................................................................................................... 15
Demand ............................................................................................................................................... 15
Solution................................................................................................................................................ 15
Login to EFEM
Run the Console application to log in to the EFEM Console. An input screen as shown below will appear.
You can log in to the system by using EFEM Manager's previously created user info on EFEM Server.
EFEM is a system running as a Client/Server. The Event Console is the Client part of the system. The
Server to which the Client to be connected must be specified on the Console. For this, you can enter the
Server information to be connected by pressing the Server button on the EFEM login screen. When the
Server button is pressed, the following screen appears.
The IP address or the Computer name of the EFEM Server to be connected must be written imto the ‘Server box’.
‘Port box’ is filled with the value of the port to be connected. Port value for EFEM is 9000.
Press ‘Save Config’ button to save the information. It is sufficient to do this once. The information is stored permanently.
If for any reason the server is to be replaced and a connection to a different EFEM Server is required, the above described operations are to be repeated.
All Incidents / Problems and Events on a single screen
With Efe Event Management (EFEM), you can easily collect all of your events on a single screen. With its
flexible structure, streaming and viewing events on EFEM is a convenience that anyone can do without
difficulty.
Thanks to EFEM's intelligent structure you will not be overwhelmed by messages, if an event was created
before, it will not be created again and again so you will be sure that every event you see on the screen is
important and there is only one.
EFEM automatically recalls the incoming events. You will then be visually alerted from the color code of
the incoming event. You can create as many windows on EFEM as you like, so you can watch incoming
events individually in each window.
With EFEM Chart type indicators, it is possible to create components like in table structure. You can see
the grouped data as Pie or Bar chart on the same screen.
A screen where you can see Chart components is shown in below. The contents are animated, so
changes made on EFEM Server are visible directly on the console.
Creating of Events at EFEM
EFEM creates events in 3 different ways.
1- Manually by operator.
2- With external systems sending information to EFEM through integration.
3- Via Correlation rules created on EFEM.
These methods will be explained later on.
Event Creation by Operator
A new event can be created manually from the by pressing the Create event button located on the
Main Menu. It is possible to open manual events based on the analysis that the operator has done on the
opened events. This creates a collaborative work environment between the teams.
Fields marked with asterisks are compulsory. The Custom Field fields on the right side of the screen are
reserved for special purposes. These special areas can be used especially if different areas are needed.
These special areas are limited to 8 pieces.
Event Hash is created by EFEM. If it is full, EFEM will not touch this area but fill it if it is empty. This field
is like the cue of the Event. If a new event is created, this event will not be created if there is an open
event similar to the Hash.
Suppression Details is a readonly section. If a message is suppressed due to Correlation, these fields are
automatically filled. Thus, the event or the rule that changes this event can be seen through this field.
Event Creation with Integrations
With EFEM’s open architecture, it is possible to create events automatically through the known and used
curl application or via REST API. Thus, you can collect your events from all your sources on EFEM.
System, Network, Application, Change, etc. ... without worrying about what your events are, you can
colletthe all easily in one source.
An example of an event with Curl is given below.
curl -H "Content-Type: application/json; charset=UTF-8" -X POST -d
"{\"EventHash\":\"\",\"Status\":\"New\",\"Source\":\"HOST_SOURCE\",\"Severity\":Warning,
\"Category\":\"Incident\",\"Message\":\"MY_FIRST_MESSAGE_TO_EFEM\",\"Details\":\"\"}"
http://EFEM_HOST_IP:9000/EventGateway/CreateEvent
Eğer curl dışında kendiniz doğrudan bir event yaratmak isterseniz. EFEM Rest API’ yi kullanabilirsiniz.
If you want to create an event directly yourself without using the curl. You can use EFEM Rest API.
http://EFEM_HOST_IP:9000/EventGateway/CreateEvent
It is enough to POST the Event in JSON format to URI. The Event thus posted should immediately drop in
the Event Console. Another way is to look at the Server Console. All incoming events appear as logs in
the Server Console.
Event Creation by Correlation
New events can be created by EFEM with the type of actions ‘Create an Event’ defined in the Complex
Correlation Rule. These are automatic Events created by EFEM in certain situations.
For example, if there are 5 open events related to a Source, create an Incident type Event related to this
Source.
In correlations of Complex Correlation Type it is possible to automatically generate a new event
depending on the circumstances. The parameters of the event to be created are entered manually. As
you can see in the above screen image.
It is possible create events and insert these events into the correlation. Thus, not only the events coming
from external systems but also the events generated by EFEM are correlated. This method makes it
possible to evolve events.
The details are explained in the Correlation module.
Event Creation with Correlation Rules
EFEM has a flexible and powerful correlation module. By analyzing incoming events, you can modify
events and create new events. You can access the correlation module with the buttons .
There are two different types of correlation. These are categorized as;
1- Simple Status Correlation
2- Complex Correlation
Simple Status Correlation
It is used to define correlation in a simple and fast way. It can be created in two different types, Node
and Event based.
Root Node indicates the source that will trigger the correlation. If an event defined as Root Node comes.
This event draws all the events for the Node given as Symptom to the state specified in Action. The same
logic applies in cases defined as Root Event and Symptom Event.
Complex Correlation
Complex Correlation is used in more comprehensive correlation needs. Queries can be written according
to all the fields in the event. As a result of these queries, more than one action can be taken.
Field explanations are given below.
Name: Correlation name. It is advisable to give meaningful names.
Time Window: The time window tells EFEM how far backwards it should look. If 0 is specified, this
parameter is disabled.
Run Every X Seconds: Correlation should be specified when running in seconds.
When: The query required to trigger correlation is written here.
And Count is> than: This field must be defined if the correlation should work for the return value of the
query ‘when’ is greater than a certain number when the result.
Impacted Events: The query should be written here for the events that the correlation will affect.
*** Test When Condition and Test The Impacted Condition buttons are used to check for typos. It is
important that you check these buttons after you have written the query.
Actions: Runs actions defined when correlation works. Each action makes some changes on events in the
background.
More than one Action can be defined in a correlation. Actions that can be defined are described below.
1- Change Status of Events
2- Create an Event
3- Send Email
4- Execute a Script
Event Console
Event Console is a table showing events. Events coming to EFEM are colored according to Severity values
and they are displayed in Event Console. More than one Event Console can be opened in an application.
Actions can be performed with the buttons located on the Event Console. These buttons are;
Create Event: Opens the Event Details form to create a manual event.
Open Details: Shows details of a selected event on the Event Console by opening the Event Details form.
Refresh Events: Updates the data in the Event Console. If it is desired to update automatically, the
option "Enable Auto Refresh" can be selected.
Delete Selected: Deletes one or more event selected.
Close Window: Closes Event Console.
Apply Filter: The Event Console has a detailed filter feature. A custom filter for each Event Console can
be instantly defined. By selecting the previously defined filters (View), events can be listed in accordance
with the specified criteria.
The Apply Filter is described in detail in the relevant section.
Apply Filter
Apply Filter Performs a critical action on the Event Console. In order to effectively manage events in the
EFEM system where many events occur, it is important to use filters or Views.
When the Apply Filter button is clicked, the below screen appears.
The user can directly write the Filter Expression to the textbox. Expressions written here are based on
the values of the event fields. For example, from the Performance events coming from Bussion machine,
show events related to the disk;
Source==”Bussion” and Category==”Performans” and Message.Contains(“Disk”)
It is enough to write such an expression.
If we look at the functions of other buttons;
Test Expression: Checks the syntax of the expression being written. It is a good practice to check the
accuracy after every expression.
Apply Filter: Written Expression is applied to the Event Console via Apply Filter.
Clear Filter: Removes an existing Filter.
Close Window: Closes the Filter window.
EFEM tanımlanmış Viewleri gösterir sadece seçerek filtre olarak uygulayabilirsiniz.
If filters are desired to be permanent, it is possible to save the filters as View and then use them only by
selecting them. It is enough to click the Save As View button and give the view a meaningful name. To
use a previously defined view, it is enough to hit the Views button. You can apply previously defined
views as filters by selecting them.
The functions of the buttons on the screen are explained below.
Open View: Event Console opens the selected View to apply.
Refresh View: Updates the view table.
Delete View: Deletes the selected View.
Close Window: Closes the window.
Access Event details with one click
You can reach the details of the event by clicking on the events that were categorized. This allows you to
see the event information in detail and/or change the status of the event.
EFEM aims to show the information in a clear format with a clean and simple screen view. The fields on
the event are automatically filled by the source from which the Event was sent.
A Sample Use Case for EFEM
Case
Sample Bank uses tracking systems of different vendors in IT infrastructure. The Server Mon software for
Servers and Application Mon software to monitor its applications. Security-related events are monitored
by Security Mon software. Incident, Problem, Change processes are managed with the ITSM tool.
Demand
Sample Bank wants to collect events of these applications in one place, create events in the Incident
category by operating the correlation rules on these collected events, and create events in the Problem
category from the events in this generated Incident category. These Incident and Problem type events
will be created by the second level technical staff who will again be registered to the ITSM tool to more
effectively identify problems.
Solution
Events from different tools will be transferred to EFEM through integrations. Thus Events from all
different sources will be collected on the EFEM system. Correlation rules to be defined on the EFEM
system will generate new events in Incident type. Problem type events will be generated by processing
the Incident type events with correlation again. These generated events will be sent back to the ITSM
tool and related records will be opened by EFEM on the ITSM tool.
Correlation rule sample
Rule 1 :
If;
When : Source==”Bankacılık Servisi” and Category==”Application” then
Action : Create an Event of the Incident Type.
Rule 2:
If;
When : Source==”Bankacılık Servisi” and Category==”Infrastructure” then
Action : Create an Event of the Incident Type.
Rule 3:
If;
When : Source==”Bankacılık Servisi” Category==”Incident” more than 1 then
Action : Create an Event of the Problem Type.
The Banking Service is consisting of both software and hardware. Hundreds of events related to this
Service are reduced to more refined Incident events with the help of correlation. Incident events are
reduced to a single Problem Event event at the end of the day. Thus, the analysis of the events is done
automatically with an intelligent system and a serious work load is taken over the operation. At the same
time critical situations are detected in advance and a service interruption is prevented.