Event policies

This topic explains the concept of event policies and how they can be useful. For instructions on creating, editing, enabling, disabling, and deleting event policies, see Configuring event policies.

Event policies enable you to process events and set up routine event-management actions quickly and easily.

Use these policies to define actions that must be run on the occurrence of particular events and based on the conditions specified. 

Each event policy consists of:

  • Basic policy information such as the name, description, and precedence.
  • Event selection criteria, the first filter based on which incoming events are selected for further processing.
  • Time frame that is always active.
  • Built-in evaluation order for the different types of event policies configured.
  • Configuration settings that define actions that determine how the events must be processed. 

You can configure these details (except the evaluation order) while configuring an event policy.  

To view, create, edit, and delete event policies, go to Configuration Event Policies.

Event policy types

The different event policy types are:

  • Basic Enrichment: Processes events with refined slot values to make the events more meaningful.
  • Notification: Notifies users via email or incidents generated for Proactive Service Integration (PSR) about an event occurrence so that actions can be taken.
  • Suppression: Automatically drops new events matching the event selection criteria.
  • Advanced Enrichment: Processes events with refined slot values based on advanced settings and the defined policy workflow.
  • Time Based: Processes events with refined slot values after a scheduled duration of time and based on the advanced settings and the defined policy workflow. 
  • Correlation: Correlates and combines multiple matching events into a single aggregated event. 

Policy evaluation order for processing events

In general, events flow through phases based on certain built-in rules. Each phase represents a logical state of processing.

The event policy types and blackout policies are associated with a particular phase through which the event must flow. These policies process each incoming event one phase at a time, and evaluate each event based on the built-in rules. 

Based on the built-in rules, policies are automatically run in the following evaluation order, irrespective of the order in which they were configured.

  1. Basic enrichment policy 
  2. Blackout policy
  3. Suppression policy
  4. Advanced enrichment policy
  5. Time-based enrichment policy
  6. Correlation policy
  7. Notification policy

The policy evaluation order supersedes the precedence number specified in the various types of policies. This means, even if you configure a separate event policy for each of the types with varying precedence numbers, the policy evaluation order is used to run the policies.

However, if you have multiple event policies of different types with varying precedence numbers, then policies of the same type are run based on the precedence number specified. 

Example: Suppose you configured three notification policies, one blackout policy, and one enrichment policy with varying precedence numbers. In this scenario, the policies will be run in the following order:

  1. Basic enrichment policy
  2. Blackout policy
  3. Notification policy 1 with the highest precedence
  4. Notification policy 2 with the second-highest precedence
  5. Notification policy 3 with the third-highest precedence

In this example, the notification policies will be run based on the precedence number specified. 

Out-of-the-box policy templates

Out-of-the-box policy templates with predefined event selection criteria are available that help you to process events and set up routine event-management actions. 

You can edit and customize an out-of-the-box policy template as per your requirement. However, if you choose a different class name, the predefined advanced enrichment configurations are reset. 

By default, the policy templates are disabled. Enable the policies after you edit them as per your requirement. The out-of-the-box policy templates and their predefined criteria are explained in the following section:

  • Template for Basic and Advanced Enrichment
    Event selection criteria:
    • Class name: PATROL Event 
    • Host: server1
    Basic enrichment: This policy is applied to all open events with priority Highest and event category Problem Management
    Advanced enrichment condition 1: Extracts the hostname and checks if it is a short hostname based on the dot position. The policy replaces the instance name with the short hostname. 
    For example, if the hostname is abc.bmc.com, the instance name will be set to abc.
    Advanced enrichment condition 2: Based on the location, assign open events to specific people, and update the severity and status. For example, if the location is New York, assign the event to Mike, update the event status to Assigned and event severity to Major. If the location is Chicago, assign the event to Shiela, update the event status to Assigned and event severity to Critical.
  • Template for Closing Events and Dropping Duplicate Events
    Event selection criteria:
    • Instance name: instance1
    • Message: ServerA
    Advanced enrichment condition: When the event priority changes, close the event; Delete a new event if it is a duplicate of an existing event.
  • Template for Timeout Policy And Notification
    Event selection criteria:
    • Class name: Event
    • Hostname: Server3
    Advanced enrichment condition: If an event is open and unassigned for longer than 6 hours, update the event severity and assign it to a specific person, and send a notification to the specified email address. For example, if the event is open and unassigned for longer than 6 hours, update the event severity to Critical, assign the event to Admin, and send a notification email to abc@xyz.com.
  • Template for Event Suppression
    Event selection criteria:
    • Class name: PATROL Event
    • Message: patrolevent
    • Hostname: server2
    Basic enrichment: Drop new events matching the event selection criteria.

Where to go from here

To create, edit, enable, disable, or delete an event policy, see Configuring event policies.

To understand advanced enrichment and time-based enrichment policies, see Processing events with advanced enrichment and time-based enrichment policies.

To understand correlation policies, see Correlating events.

To understand the out-of-the-box event classes and associated slots, see Event classes and slots

Was this page helpful? Yes No Submitting... Thank you

Comments