Common Event Model for Event Orchestration
A Common Event Model (CEM) enables a consistent definition of an event. The event must contain the same format and data, regardless of its originating source. The Common Event Model, the format, and the property groups are similar to the CEM defined for TrueSight Infrastructure Management.
For a detailed understanding of the Common Event Model, see the Common Event Model in the TrueSight Infrastructure Management documentation.
Consult the following topics to understand the CEM format for the Event Orchestration run book and the property groups that are a part of the CEM format.
Sample event
The following figure shows a sample incoming event coming from TrueSight Infrastructure Management and when it is converted into a CEM format.
Tip
Use the horizontal scrollbar to view the sample events. You can also press Shift+F to view the page in a full-screen mode.
Common Event Model mappings
The following figure shows a sample event mapping configuration XML file.
The following table describes the common event model attributes that are mapped with the TrueSight Infrastructure Management events.
TrueSight Infrastructure Management event attribute | CEM event attribute | Description | CEM property groups/section |
---|---|---|---|
<mc-event-model-version> | <eventModelVersion> | Specifies the version of the Common Event Model (CEM) that is used to instantiate the event. | MetaData |
<class-name> | <eventClass> | Specifies the event class name as defined by the CEM. Internally, this is the class name that is used to create the event. Each event provider must use its own value so that specific rules can be written for the designated event provider. | |
<mc-ueid> | <eventId> | Specifies the globally unique identifier of the event. If the mc_ueid is not defined, then it is automatically generated by the main cell that receives the event. | |
<status> | <status> | Contains a list of distinct object states. The default status value is OPEN. Example:
| |
<mc-incident-report-time> | <reportTime> | Specifies the date and time when the event was reported by the reporting object | |
<mc-smc-impact> | <eventToCIAssociationType> | Indicates whether an event is elected, attached, or has an impact on a service impact management component Example values:
| |
<mc-timeout> | <timeout> | Specifies the timeout period, in seconds, after which an event is automatically closed. | |
<mc-notes> | <notes> | Contains a list of free text annotations that are added to an event. | |
<mc-history> | <propagationHistory> | Contains a list of cells and the event IDs inside each cell through which the received event flowed before it reached the current cell. An event provider can define this slot so that it can receive the synchronized events back from the cell. | |
<mc-relation-source> | <relationSource> | Contains the relationSource is required if the consumer object wants to send or receive updates. | |
<mc-owner> | <owner> | Specifies the current user assigned to the event. | |
<mc-account> | <account> | Specifies the account ID associated with the event. (This slot does not support multi-tenancy.) | |
<mc-event-category> | <situationCategory> | The Information Technology Infrastructure Library (ITIL) process that the event represents. Example values:
| SituationData |
<mc-event-subcategory> | <situationSubCategory> | The
For external events to be analyzed based on global relationships, the mc_event_subcategory slot must be set for each external event. For more information, see MC_EVENT_SUBCATEGORY enumeration in TrueSight Infrastructure Management. | |
| <situationTime> | Specifies the time when the event occurred, translated into epoch time to accommodate the requirements of the cell. Internally, the impact manager works with epoch time. Doing the translations over and over again when needed would have an impact of efficiency. Therefore, the providers are asked to calculate when the epoch time, so processing of time-related information is as optimal as possible. | |
| <priority> | Represents the importance of an event. This slot supports management functions requiring an event to be associated with a priority. Valid values in ascending order of significance are as follows:
| |
<severity> | <severity> | Represents the perceived severity of the status the event is describing with respect to the application that reports the event.
| |
<msg> | <messageSummary> | Contains a descriptive text that is part of an event. BMC recommends a terse description of the event content. | |
<mc-service> | <service> | Specifies the service or application to which the event is related. Use this slot to add contextual information about the service or application to the event. The value of this slot would be typically set by enrichment. | |
<mc-long-msg> | <messageDetail> | Contains a descriptive text that is part of an event. BMC recommends that you use this slot to convey additional relevant information about the event. Do not include any MRL rules. | |
<repeat-count> | <repeatCount> | Contains the number of times that this incident described in the event has occurred. | |
<resourceId> | <resourceId> | Specifies the unique identifier of the manageable resource on which the event has occurred. This ID is different from the BMC Atrium CMDB Reconciliation ID or the alias. Do not use the ResourceId to associate events with CIs. Instead, use the reconciliation ID or the alias. | SourceData |
<mc-smc-id> | <reconciliationId> | Specifies the identifier of a manageable resource associated with an event and is used to associate the event with a configuration item. BMC recommends that this value be the reconciliation ID value generated by the BMC Atrium CMDB. | |
<mc-smc-alias> | <alias> | Identifier of a manageable resource associated with an event. BMC recommends that this value be taken from the alias defined in the BMC Atrium CMDB. This property helps to associate the event to the configuration item. Generally, event providers supply this value with the component's alias value. | |
<mc-host> | <componentHost> | Fully qualified host name of the system on which the problem occurred. The ComponentHost is required in the ComponentHostAddress is not specified. | |
<mc-host-address> | <componentHostAddress> | Network address for the host on which the problem occurred. It can be used to supplement the value of the ComponentHost property. The ComponentHostAddress is required if the ComponentHost property is not specified. | |
<mc-location> | <location> | Location at which the source component resides. This slot provides additional contextual information for the event. | |
<mc-object-uri> | <componentURI> | Address used to cross-launch directly to the component | |
<mc-object> | <componentCaption> | Sub-component of the host to which the event is related For example, it could be the name of the disk on which the event is reporting the problem. | |
<mc-object-class> | <componentType> | Identifies the class of an object If the object class cannot be derived from the original event, it must be filled in during enrichment. | |
<mc-object-owner> | <componentOwner> | Identifies the owner of the source component | |
<mc-tool-address> | <componentHostAddress> | The network address of the Reporter | ReporterData The reporter component only reports the event, and may not be the source of the event. ReporterData is required if the reporter component and the event source component are different. If not specified, the reporter and the source are considered to be the same.
|
<mc-tool-uri> | <componentURI> | The address used to cross-launch directly to the Reporter | |
<mc-tool> | <componentCaption> | For BMC Event Management events, mc_tool represents any event that is within any value that can further distinguish where the event is coming from within an mc_tool_class value. For example, for the NT Event Log Adapter, mc_tool could be the name of the log to which the incident was logged. If the mc_tool_class is a management tool (such as PATROL or ITO), then the mc_tool must be a string that enables an action on the event to initiate a communication in context with the mc_tool . For Infrastructure Management events, mc_tool contains the fully qualified DNS name of the BMC TrueSight Infrastructure Management Server. | |
<mc-tool-class> | <componentType> | For BMC Event Management, mc_tool_class represents a user-defined categorization of the tool reporting the event. For example, the mc_tool_class value for an SNMP adapter could be SNMP . And the mc_tool_class value for an NT Event Log Adapter might be NT_EVLOG . For Infrastructure Management events, mc_tool_class contains the string PNET. | |
<mc-tool-time> | <eventTime> | Date and time (as a timestamp) when the event report was created. The ReportTime value must be read as using the time scale Coordinated Universal Time (UTC) unless a particular time zone or the value Z (Zulu time for UTC) is otherwise specified. | |
<mc-tool-rule> | <eventType> | Name of the adapter or integration mapping rule that generated the event | |
<mc-tool-source> | <reporterEventId> | Globally unique identifier of the event at the reporter. When an event is propagated, the receiving cell gets a new local identifier, but the event keeps the old universal identifier mc_ueid . | |
<mc-tool-sev> | <eventSeverity> | Severity as given by
| |
<mc-tool-suggestion> | <eventSuggestion> | The Reporter's suggested solution to the problem posed by the event. This is similar to expert advice information that other applications provide. | |
<mc-parameter> | <metricName> | Name of the metric or property that went into alarm or that triggered the event | MetricsData |
<mc-parameter-value> | <metricValue> | Actual value of the parameter | |
<mc-parameter-unit> | <metricValueUnit> | Unit description of the metric | |
<mc-parameter-threshold> | {<metricThreshold> | Threshold value that was crossed to cause the generation of the event | |
<itsm-incident-id> | <itsm-incident-id> | Incident ID in associated ITSM application. | ExtendedData Contains all event attributes that are not mapped to any specific class. |
Common event model property groups
The CEM format must contain the following property groups.
Metadata
Contains basic information about the event, including the event class, event ID and status.
<metaData>
<eventClass>PATROL_EV</eventClass>
<eventId>abc.bmc.com@192.168.0.1:3181.1524160356.2285</eventId>
<reportTimeEpoch>0</reportTimeEpoch>
<eventToCIAssociationType>IMPACTING</eventToCIAssociationType>
<propagationHistory>[bao1:19025]</propagationHistory>
</metaData>
Situation data
Contains detailed information about the event, which includes the ITIL category, sub-category, the time when the event occurred, the severity of the event and so on. The properties in the <situationData>
group do not contain information enough to determine the exact event type that is received in TrueSight Infrastructure Management. Therefore, the event is enriched in the main cell to add another property, called <eo-event-type>
in the <extendedData>
group to help identify the specific event type.
The <situationData>
group includes the following attributes:
Property | Description |
---|---|
| Specifies the enumerations in TrueSight Infrastructure Management Enriched in the main cell (in TrueSight Infrastructure Management) to help TSO event orchestration workflow framework to be generic. If the framework is generic, new use cases for new event types can be added without the need for modifying the framework workflow. |
| Specifies the enumerations in TrueSight Infrastructure Management Enriched in the main cell (in TrueSight Infrastructure Management) to help event orchestration workflow framework to be generic. |
| Stores the name of the service in the target system. In the case of ServiceDown use case, it can be a service name or a short form of a process that is being monitored. |
<situationData>
<situationCategory>AVAILABILITY_MANAGEMENT</situationCategory>
<situationSubCategory>APPLICATION</situationSubCategory>
<situationTime>1524160373</situationTime>
<severity>CRITICAL</severity>
<situationTimeEpoch>0</situationTimeEpoch>
<service>repo</service>
<messageSummary>ProcessCount for NUK_Process/repo is in ALARM current value is 0.000000</messageSummary>
</situationData>
Source data
The source data property group contains properties related to a component where the event has occurred. Properties such as the host name and the host address of the source of the event are displayed.
<sourceData>
<componentHost>abcd.bmc.com</componentHost>
<componentHostAddress>192.168.0.1</componentHostAddress>
<location />
<componentCaption>repo</componentCaption>
<componentType>NUK_Process</componentType>
</sourceData>
Reporter data
The reporter data property group contains the properties related to the component that has reported the event.
Note
If the <reporterData>
is not included in the event, then it is assumed that the source component (where the event took place) and the reporter component (which reported the event) is the same.
The reporter data group includes the following attributes:
Property | Description |
---|---|
<componentCaption> | Specifies the host address of the component that has reported the event. |
<componentType> | Specifies the type of the component that has reported the event. For example, PATROL agent. |
<eventTime> | Specifies the time when the event occurred (in an epoch time format). |
<reporterData>
<componentCaption>abc.bmc.com:3181</componentCaption>
<componentType>PATROL Agent</componentType>
<eventTime>1524160373</eventTime>
</reporterData>
Metrics data
When a PATROL Agent reports an event, threshold values are stored in the metrics section. The properties include metric name, metric value, metric value unit, and metric threshold.
<metricsData>
<metricName>ProcessCount</metricName>
<metricValue>0.000000</metricValue>
</metricsData>
Extended data
Contains information about the event that is not captured in the property groups described in the earlier section.
The extended data group includes the following attributes:
Property | Description |
---|---|
<nameValueList> | Contains a list of <nameValue> properties. |
<nameValue> | Contains <name> and <value> pairs for the properties of an event. |
<name> | Specifies the name of the property for the event. For example, |
<value> | Specifies the value for the corresponding For example, |
<extendedData>
<nameValueList>
<nameValue>
<name>cell-name</name>
<value>bao1</value>
</nameValue>
<nameValue>
<name>date</name>
<value>20180419232253.000000+330</value>
</nameValue>
<nameValue>
<name>p-origin</name>
<value>NUK_Process.repo.ProcessCount</value>
</nameValue>
<nameValue>
<name>mc-origin-sev</name>
<value>4</value>
</nameValue>
<nameValue>
<name>event-identification-type</name>
<value>Internal</value>
</nameValue>
<nameValue>
<name>p-owner</name>
<value>Patrol</value>
</nameValue>
<nameValue>
<name>p-class</name>
<value>11</value>
</nameValue>
<nameValue>
<name>mc-modhist</name>
<value>[bao1]</value>
</nameValue>
<nameValue>
<name>p-expectancy</name>
<value>STORED</value>
</nameValue>
<nameValue>
<name>p-instance</name>
<value>repo</value>
</nameValue>
<nameValue>
<name>mc-origin-key</name>
<value>2285</value>
</nameValue>
<nameValue>
<name>p-source-id</name>
<value>2285</value>
</nameValue>
<nameValue>
<name>date-reception</name>
<value>1524160373</value>
</nameValue>
<nameValue>
<name>p-agent</name>
<value>abc.bmc.com</value>
</nameValue>
<nameValue>
<name>p-handler</name>
<value>Patrol</value>
</nameValue>
<nameValue>
<name>p-agent-port</name>
<value>3181</value>
</nameValue>
<nameValue>
<name>p-agent-version</name>
<value>V11.0.00i</value>
</nameValue>
<nameValue>
<name>eo-event-type</name>
<value>ServiceDown</value>
</nameValue>
<nameValue>
<name>p-type</name>
<value>ALARM</value>
</nameValue>
<nameValue>
<name>mc-local-reception-time</name>
<value>1524160400</value>
</nameValue>
<nameValue>
<name>mc-origin-class</name>
<value>PATROL Agent</value>
</nameValue>
<nameValue>
<name>p-args</name>
<value>[Alarm #1, global, ProcessCount, NUK_Process.repo, 0, 0.00, 0]</value>
</nameValue>
<nameValue>
<name>p-catalog</name>
<value>0</value>
</nameValue>
<nameValue>
<name>mc-arrival-time</name>
<value>1524160400</value>
</nameValue>
<nameValue>
<name>p-status</name>
<value>OPEN</value>
</nameValue>
<nameValue>
<name>p-application</name>
<value>NUK_Process</value>
</nameValue>
<nameValue>
<name>mc-origin</name>
<value>abc.bmc.com:3181</value>
</nameValue>
<nameValue>
<name>mc-date-modification</name>
<value>1524160400</value>
</nameValue>
<nameValue>
<name>mc-host-class</name>
<value>LinuxRed Hat Enterprise Linux Server release 6.9 (Santiago)</value>
</nameValue>
<nameValue>
<name>p-agent-address</name>
<value>192.168.0.1</value>
</nameValue>
<nameValue>
<name>p-node</name>
<value>abc.bmc.com</value>
</nameValue>
<nameValue>
<name>itsm-incident-id</name>
<value>INC000000000453</value>
</nameValue>
</nameValueList>
</extendedData>
Where to go from here
After understanding the CEM format and how it works, you can now start using the run book. For more information, see Using the Event Orchestration run book.
Comments
Log in or register to comment.