Common Event Model for Event Orchestration

A Common Event Model (CEM) enables a consistent definition of an event. The event must contain the same format and data, regardless of its originating source. The Common Event Model, the format, and the property groups are similar to the CEM defined for TrueSight Infrastructure Management.

For a detailed understanding of the Common Event Model, see the Common Event Model Open link in the TrueSight Infrastructure Management documentation.

Consult the following topics to understand the CEM format for the Event Orchestration run book and the property groups that are a part of the CEM format.

Sample event

The following figure shows a sample incoming event coming from TrueSight Infrastructure Management and when it is converted into a CEM format.

Tip

Use the horizontal scrollbar to view the sample events. You can also press Shift+F to view the page in a full-screen mode.

Click here to view the sample event data coming from TrueSight Infrastructure Management server

Sample event

<event>
  <cell-name>MainCEll</cell-name>
  <class-name>PATROL_EV</class-name>
  <date><![CDATA[20180419140507.000000+330]]></date>
  <msg><![CDATA[ServiceStatus for NT_SERVICES/SERVICES_TBS is in ALARM current value is 3.000000]]></msg>
  <p-origin><![CDATA[NT_SERVICES.SERVICES_TBS.ServiceStatus]]></p-origin>
  <mc-service><![CDATA[TBS]]></mc-service>
  <mc-origin-sev><![CDATA[4]]></mc-origin-sev>
  <event-identification-type><![CDATA[Internal]]></event-identification-type>
  <mc-tool-class><![CDATA[PATROL Agent]]></mc-tool-class>
  <p-owner><![CDATA[Patrol]]></p-owner>
  <p-class><![CDATA[11]]></p-class>
  <mc-parameter-value><![CDATA[3.000000]]></mc-parameter-value>
  <mc-parameter><![CDATA[ServiceStatus]]></mc-parameter>
  <mc-modhist><![CDATA[[bao1]]]></mc-modhist>
  <p-expectancy><![CDATA[STORED]]></p-expectancy>
  <p-instance><![CDATA[SERVICES_TBS]]></p-instance>
  <mc-origin-key><![CDATA[63966]]></mc-origin-key>
  <mc-object><![CDATA[SERVICES_TBS]]></mc-object>
  <mc-tool-time><![CDATA[1524126907]]></mc-tool-time>
  <p-source-id><![CDATA[63966]]></p-source-id>
  <mc-smc-impact><![CDATA[IMPACTING]]></mc-smc-impact>
  <mc-host-address><![CDATA[10.00.00.00]]></mc-host-address>
  <date-reception><![CDATA[1524126907]]></date-reception>
  <p-agent><![CDATA[TargetHostFQDN]]></p-agent>
  <p-handler><![CDATA[Patrol]]></p-handler>
  <p-agent-port><![CDATA[3181]]></p-agent-port>
  <p-agent-version><![CDATA[V11.0.00i]]></p-agent-version>
  <p-type><![CDATA[ALARM]]></p-type>
  <mc-local-reception-time><![CDATA[1524126967]]></mc-local-reception-time>
  <mc-location><![CDATA[bmc.com]]></mc-location>
  <mc-tool><![CDATA[TargetHostFQDN]]></mc-tool>
  <mc-origin-class><![CDATA[PATROL Agent]]></mc-origin-class>
  <p-args><![CDATA[[Alarm #2, global, ServiceStatus, NT_SERVICES.SERVICES_TBS, 3, 3.00, 3]]]></p-args>
  <mc-host><![CDATA[TargetHostFQDN]]></mc-host>
  <mc-event-category><![CDATA[AVAILABILITY_MANAGEMENT]]></mc-event-category>
  <p-catalog><![CDATA[0]]></p-catalog>
  <itsm-company><![CDATA[Calbro Services]]></itsm-company>
  <mc-ueid><![CDATA[FQDN:3181.1524126824.63966]]></mc-ueid>
  <mc-arrival-time><![CDATA[1524126967]]></mc-arrival-time>
  <severity><![CDATA[CRITICAL]]></severity>
  <mc-history><![CDATA[[bao1:18875]]]></mc-history>
  <p-status><![CDATA[OPEN]]></p-status>
  <p-application><![CDATA[NT_SERVICES]]></p-application>
  <mc-origin><![CDATA[FQDN:3181]]></mc-origin>
  <itsm-incident-status><![CDATA[Assigned]]></itsm-incident-status>
  <mc-date-modification><![CDATA[1524126967]]></mc-date-modification>
  <mc-event-subcategory><![CDATA[APPLICATION]]></mc-event-subcategory>
  <mc-host-class><![CDATA[NT6.0 Service Pack 2]]></mc-host-class>
  <mc-object-class><![CDATA[NT_SERVICES]]></mc-object-class>
  <p-agent-address><![CDATA[10.17.78.30]]></p-agent-address>
  <mc-incident-time><![CDATA[1524126907]]></mc-incident-time>
  <itsm-incident-id><![CDATA[INC000000000128]]></itsm-incident-id>
  <p-node><![CDATA[FQDN.bmc.com]]></p-node>
</event>

Click here to view the sample event converted into the CEM format

Sample event converted into the CEM format

<event>
  <metaData>
    <eventClass>PATROL_EV</eventClass>
    <eventId>TargetHost@10.17.78.30:3181.1524126824.63966</eventId>
    <reportTimeEpoch>0</reportTimeEpoch>
    <eventToCIAssociationType>IMPACTING</eventToCIAssociationType>
    <propagationHistory>[bao1:18875]</propagationHistory>
  </metaData>
  <sourceData>
    <componentHost>TargetHostFQDN</componentHost>
    <componentHostAddress>10.10.10.10</componentHostAddress>
    <location>bmc.com</location>
    <componentCaption>SERVICES_TBS</componentCaption>
    <componentType>NT_SERVICES</componentType>
  </sourceData>
  <situationData>
    <situationCategory>AVAILABILITY_MANAGEMENT</situationCategory>
    <situationSubCategory>APPLICATION</situationSubCategory>
    <situationTime>1524126907</situationTime>
    <severity>CRITICAL</severity>
    <situationTimeEpoch>0</situationTimeEpoch>
    <service>TBS</service>
    <messageSummary>ServiceStatus for NT_SERVICES/SERVICES_TBS is in ALARM current value is 3.000000</messageSummary>
  </situationData>
  <reporterData>
    <componentCaption>TargetHostFQDN</componentCaption>
    <componentType>PATROL Agent</componentType>
    <eventTime>1524126907</eventTime>
  </reporterData>
  <extendedData>
    <nameValueList>
      <nameValue>
        <name>cell-name</name>
        <value>bao1</value>
      </nameValue>
      <nameValue>
        <name>date</name>
        <value>20180419140507.000000+330</value>
      </nameValue>
      <nameValue>
        <name>p-origin</name>
        <value>NT_SERVICES.SERVICES_TBS.ServiceStatus</value>
      </nameValue>
      <nameValue>
        <name>mc-origin-sev</name>
        <value>4</value>
      </nameValue>
      <nameValue>
        <name>event-identification-type</name>
        <value>Internal</value>
      </nameValue>
      <nameValue>
        <name>p-owner</name>
        <value>Patrol</value>
      </nameValue>
      <nameValue>
        <name>p-class</name>
        <value>11</value>
      </nameValue>
      <nameValue>
        <name>mc-modhist</name>
        <value>[bao1]</value>
      </nameValue>
      <nameValue>
        <name>p-expectancy</name>
        <value>STORED</value>
      </nameValue>
      <nameValue">
        <name>p-instance</name>
        <value>SERVICES_TBS</value>
      </nameValue>
      <nameValue>
        <name>mc-origin-key</name>
        <value>63966</value>
      </nameValue>
      <nameValue>
        <name>p-source-id</name>
        <value>63966</value>
      </nameValue>
      <nameValue>
        <name>date-reception</name>
        <value>1524126907</value>
      </nameValue>
      <nameValue>
        <name>p-agent</name>
        <value>PATROLAgentHostFQDN</value>
      </nameValue>
      <nameValue>
        <name>p-handler</name>
        <value>Patrol</value>
      </nameValue>
      <nameValue>
        <name>p-agent-port</name>
        <value>3181</value>
      </nameValue>
      <nameValue>
        <name>p-agent-version</name>
        <value>V11.0.00i</value>
      </nameValue>
      <nameValue>
        <name>p-type</name>
        <value>ALARM</value>
      </nameValue>
      <nameValue>
        <name>mc-local-reception-time</name>
        <value>1524126967</value>
      </nameValue>
      <nameValue>
        <name>mc-origin-class</name>
        <value>PATROL Agent</value>
      </nameValue>
      <nameValue>
        <name>p-args</name>
        <value>[Alarm #2, global, ServiceStatus, NT_SERVICES.SERVICES_TBS, 3, 3.00, 3]</value>
      </nameValue>
      <nameValue>
        <name>p-catalog</name>
        <value>0</value>
      </nameValue>
      <nameValue>
        <name>itsm-company</name>
        <value>Calbro Services</value>
      </nameValue>
      <nameValue>
        <name>mc-arrival-time</name>
        <value>1524126967</value>
      </nameValue>
      <nameValue>
        <name>p-status</name>
        <value>OPEN</value>
      </nameValue>
      <nameValue>
        <name>p-application</name>
        <value>NT_SERVICES</value>
      </nameValue>
      <nameValue>
        <name>mc-origin</name>
        <value>TargetHostFQDN</value>
      </nameValue>
      <nameValue>
        <name>itsm-incident-status</name>
        <value>Assigned</value>
      </nameValue>
      <nameValue>
        <name>mc-date-modification</name>
        <value>1524126967</value>
      </nameValue>
      <nameValue>
        <name>mc-host-class</name>
        <value>NT6.0 Service Pack 2</value>
      </nameValue>
      <nameValue>
        <name>p-agent-address</name>
        <value>10.10.10.10</value>
      </nameValue>
      <nameValue>
        <name>itsm-incident-id</name>
        <value>INC000000000128</value>
      </nameValue>
      <nameValue>
        <name>p-node</name>
        <value>TargetHostFQDN</value>
      </nameValue>
    </nameValueList>
  </extendedData>
  <metricsData>
    <metricName>ServiceStatus</metricName>
    <metricValue>3.000000</metricValue>
  </metricsData>
</event>

Common Event Model mappings

The following figure shows a sample event mapping configuration XML file.

Click here to view the event mapping configuration XML

<!-- Mapping configuration file for TrueSight events -->
<mappings>
	<!-- metadata -->
	<eventMap>
		<entry>
			<key>mc-event-model-version</key>
			<value>
				<destination class="metaData">eventModelVersion</destination>
			</value>
		</entry>
		<entry>
			<key>class-name</key>
			<value>
				<destination class="metaData">eventClass</destination>
			</value>
		</entry>
		<entry>
			<key>mc-ueid</key>
			<value>
				<destination class="metaData">eventId</destination>
			</value>
		</entry>
		<entry>
			<key>status</key>
			<value>
				<destination class="metaData">status</destination>
			</value>
		</entry>
		<entry>
			<key>mc-incident-report-time</key>
			<value>
				<destination class="metaData">reportTime</destination>
			</value>
		</entry>
		<entry>
			<key>mc-smc-impact</key>
			<value>
				<destination class="metaData">eventToCIAssociationType</destination>
			</value>
		</entry>
		<entry>
			<key>mc-timeout</key>
			<value>
				<destination class="metaData">timeout</destination>
			</value>
		</entry>
		<entry>
			<key>mc-notes</key>
			<value>
				<destination class="metaData">notes</destination>
			</value>
		</entry>
		<entry>
			<key>mc-history</key>
			<value>
				<destination class="metaData">propagationHistory</destination>
			</value>
		</entry>
		<entry>
			<key>mc-relation-source</key>
			<value>
				<destination class="metaData">relationSource</destination>
			</value>
		</entry>
		<entry>
			<key>mc-owner</key>
			<value>
				<destination class="metaData">owner</destination>
			</value>
		</entry>
		<entry>
			<key>mc-account</key>
			<value>
				<destination class="metaData">account</destination>
			</value>
		</entry>
		<!-- source / reporter data -->
		<entry>
			<key>mc-tool-id</key>
			<value>
				<destination class="sourceData">resourceId</destination>
				<destination class="reporterData">resourceId</destination>
			</value>
		</entry>
		<entry>
			<key>mc-smc-id</key>
			<value>
				<destination class="sourceData">reconciliationId</destination>
			</value>
		</entry>
		<entry>
			<key>mc-smc-alias</key>
			<value>
				<destination class="sourceData">alias</destination>
			</value>
		</entry>
		<entry>
			<key>mc-host</key>
			<value>
				<destination class="sourceData">componentHost</destination>
			</value>
		</entry>
		<entry>
			<key>mc-host-address</key>
			<value>
				<destination class="sourceData">componentHostAddress</destination>
			</value>
		</entry>
		<entry>
			<key>mc-location</key>
			<value>
				<destination class="sourceData">location</destination>
			</value>
		</entry>
		<entry>
			<key>mc-object-uri</key>
			<value>
				<destination class="sourceData">componentURI</destination>
			</value>
		</entry>
		<entry>
			<key>mc-object</key>
			<value>
				<destination class="sourceData">componentCaption</destination>
			</value>
		</entry>
		<entry>
			<key>mc-object-class</key>
			<value>
				<destination class="sourceData">componentType</destination>
			</value>
		</entry>
		<entry>
			<key>mc-object-owner</key>
			<value>
				<destination class="sourceData">componentOwner</destination>
			</value>
		</entry>
		<!-- reporter data -->
		<entry>
			<key>mc-tool-address</key>
			<value>
				<destination class="reporterData">componentHostAddress</destination>
			</value>
		</entry>
		<entry>
			<key>mc-tool-uri</key>
			<value>
				<destination class="reporterData">componentURI</destination>
			</value>
		</entry>
		<entry>
			<key>mc-tool</key>
			<value>
				<destination class="reporterData">componentCaption</destination>
			</value>
		</entry>
		<entry>
			<key>mc-tool-class</key>
			<value>
				<destination class="reporterData">componentType</destination>
			</value>
		</entry>
		<entry>
			<key>mc-tool-time</key>
			<value>
				<destination class="reporterData">eventTime</destination>
			</value>
		</entry>
		<entry>
			<key>mc-tool-rule</key>
			<value>
				<destination class="reporterData">eventType</destination>
			</value>
		</entry>
		<entry>
			<key>mc-tool-key</key>
			<value>
				<destination class="reporterData">reporterEventId</destination>
			</value>
		</entry>
		<entry>
			<key>mc-tool-sev</key>
			<value>
				<destination class="reporterData">eventSeverity</destination>
			</value>
		</entry>
		<entry>
			<key>mc-tool-suggestion</key>
			<value>
				<destination class="reporterData">eventSuggestion</destination>
			</value>
		</entry>
		<!-- situation data -->
		<entry>
			<key>mc-event-category</key>
			<value>
				<destination class="situationData">situationCategory</destination>
			</value>
		</entry>
        <entry>
            <key>mc-event-subcategory</key>
            <value>
                <destination class="situationData">situationSubCategory</destination>
            </value>
        </entry>
		<entry>
			<key>mc-incident-time</key>
			<value>
				<destination class="situationData">situationTime</destination>
			</value>
		</entry>
		<entry>
			<key>mc-priority</key>
			<value>
				<destination class="situationData">priority</destination>
			</value>
		</entry>
		<entry>
			<key>severity</key>
			<value>
				<destination class="situationData">severity</destination>
			</value>
		</entry>
		<entry>
			<key>msg</key>
			<value>
				<destination class="situationData">messageSummary</destination>
			</value>
		</entry>
		<entry>
			<key>mc-service</key>
			<value>
				<destination class="situationData">service</destination>
			</value>
		</entry>
		<entry>
			<key>mc-long-msg</key>
			<value>
				<destination class="situationData">messageDetail</destination>
			</value>
		</entry>
		<entry>
			<key>repeat-count</key>
			<value>
				<destination class="situationData">repeatCount</destination>
			</value>
		</entry>
		<!-- metrics data -->
		<entry>
			<key>mc-parameter</key>
			<value>
				<destination class="metricsData">metricName</destination>
			</value>
		</entry>
		<entry>
			<key>mc-parameter-value</key>
			<value>
				<destination class="metricsData">metricValue</destination>
			</value>
		</entry>
		<entry>
			<key>mc-parameter-unit</key>
			<value>
				<destination class="metricsData">metricValueUnit</destination>
			</value>
		</entry>
		<entry>
			<key>mc-parameter-threshold</key>
			<value>
				<destination class="metricsData">metricThreshold</destination>
			</value>
		</entry>
		<!--  extended data is a generic place holder for all unidentified/custom fields -->
        <entry>
            <key>extendedData</key>
            <value>
                <destination class="extendedData">nameValueList</destination>
            </value>
        </entry>
   	</eventMap>
</mappings>

The following table describes the common event model attributes that are mapped with the TrueSight Infrastructure Management events.

TrueSight Infrastructure Management event attribute	CEM event attribute	Description	CEM property groups/section
`<mc-event-model-version>`	`<eventModelVersion>`	Specifies the version of the Common Event Model (CEM) that is used to instantiate the event.	MetaData
`<class-name>`	`<eventClass>`	Specifies the event class name as defined by the CEM. Internally, this is the class name that is used to create the event. Each event provider must use its own value so that specific rules can be written for the designated event provider.
`<mc-ueid>`	`<eventId>`	Specifies the globally unique identifier of the event. If the `mc_ueid` is not defined, then it is automatically generated by the main cell that receives the event.
`<status>`	`<status>`	Contains a list of distinct object states. The default status value is OPEN. Example: OPEN ACK ASSIGNED CLOSED BLACKOUT
`<mc-incident-report-time>`	`<reportTime>`	Specifies the date and time when the event was reported by the reporting object
`<mc-smc-impact>`	`<eventToCIAssociationType>`	Indicates whether an event is elected, attached, or has an impact on a service impact management component Example values: NOT_ELECTED—(Default value) not yet determined whether the event can be attached to a CI. ELECTED—The event can be attached to (or has been detached from) a CI (provided that there is a matching CI). Whether or not an event is ELECTED is determined by the rules in mc_sm_elect.mrl. NON_ELECTABLE—The event must not be attached to a CI, even if its mc_smc_alias/mc_smc_id matches a CI. In this case, the event is associated with a CI but not attached. ATTACHED—The event is attached to a CI but is not an impacting event. This means that the event does not influence the status of the component (because other more severe events are attached to the CI, the current status of the CI is due to an impact from another CI, or the manual_status of the CI is higher than the self_status). IMPACTING —The event is attached to a CI and is impacting the status of that CI.
`<mc-timeout>`	`<timeout>`	Specifies the timeout period, in seconds, after which an event is automatically closed.
`<mc-notes>`	`<notes>`	Contains a list of free text annotations that are added to an event.
`<mc-history>`	`<propagationHistory>`	Contains a list of cells and the event IDs inside each cell through which the received event flowed before it reached the current cell. An event provider can define this slot so that it can receive the synchronized events back from the cell.
`<mc-relation-source>`	`<relationSource>`	Contains the `mc_ueid` of the source event to which the current event is related. relationSource is required if the consumer object wants to send or receive updates.
`<mc-owner>`	`<owner>`	Specifies the current user assigned to the event.
`<mc-account>`	`<account>`	Specifies the account ID associated with the event. (This slot does not support multi-tenancy.)
`<mc-event-category>`	`<situationCategory>`	The Information Technology Infrastructure Library (ITIL) process that the event represents. Example values: SLA_MANAGEMENT CAPACITY_MANAGEMENT SERVICE_CONTINUITY_MANAGEMENT AVAILABILITY_MANAGEMENT INCIDENT_MANAGEMENT CONFIGURATION_MANAGEMENT RELEASE_MANAGEMENT PROBLEM_MANAGEMENT CHANGE_MANAGEMENT OPERATIONS_MANAGEMENT SECURITY_MANAGEMENT FINANCIAL_MANAGEMENT SERVICE_DESK_MANAGEMENT	SituationData
`<mc-event-subcategory>`	`<situationSubCategory>`	The `MC_EVENT_SUBCATEGORY` enumeration defines the subcategory for an event, as follows: `10 OTHER` `20 APPLICATION` `30 DATABASE` `40 NETWORK` `50 SYSTEM` `60 USER_TRANSACTIONS` For external events to be analyzed based on global relationships, the mc_event_subcategory slot must be set for each external event. For more information, see MC_EVENT_SUBCATEGORY enumeration in TrueSight Infrastructure Management.
`<mc-incident-time>`	`<situationTime>`	Specifies the time when the event occurred, translated into epoch time to accommodate the requirements of the cell. Internally, the impact manager works with epoch time. Doing the translations over and over again when needed would have an impact of efficiency. Therefore, the providers are asked to calculate when the epoch time, so processing of time-related information is as optimal as possible.
`<mc-priority>`	`<priority>`	Represents the importance of an event. This slot supports management functions requiring an event to be associated with a priority. Valid values in ascending order of significance are as follows: PRIORITY_5 PRIORITY_4 PRIORITY_3 PRIORITY_2 PRIORITY_1 PRIORITY_1 is the highest priority.
`<severity>`	`<severity>`	Represents the perceived severity of the status the event is describing with respect to the application that reports the event. Current values are as follows: UNKNOWN OK INFO WARNING MINOR MAJOR CRITICAL
`<msg>`	`<messageSummary>`	Contains a descriptive text that is part of an event. BMC recommends a terse description of the event content.
`<mc-service>`	`<service>`	Specifies the service or application to which the event is related. Use this slot to add contextual information about the service or application to the event. The value of this slot would be typically set by enrichment.
`<mc-long-msg>`	`<messageDetail>`	Contains a descriptive text that is part of an event. BMC recommends that you use this slot to convey additional relevant information about the event. Do not include any MRL rules.
`<repeat-count>`	`<repeatCount>`	Contains the number of times that this incident described in the event has occurred.
`<resourceId>`	`<resourceId>`	Specifies the unique identifier of the manageable resource on which the event has occurred. This ID is different from the BMC Atrium CMDB Reconciliation ID or the alias. Do not use the ResourceId to associate events with CIs. Instead, use the reconciliation ID or the alias.	SourceData
`<mc-smc-id>`	`<reconciliationId>`	Specifies the identifier of a manageable resource associated with an event and is used to associate the event with a configuration item. BMC recommends that this value be the reconciliation ID value generated by the BMC Atrium CMDB.
`<mc-smc-alias>`	`<alias>`	Identifier of a manageable resource associated with an event. BMC recommends that this value be taken from the alias defined in the BMC Atrium CMDB. This property helps to associate the event to the configuration item. Generally, event providers supply this value with the component's alias value.
`<mc-host>`	`<componentHost>`	Fully qualified host name of the system on which the problem occurred. The `ComponentHost` is required in the ComponentHostAddress is not specified.
`<mc-host-address>`	`<componentHostAddress>`	Network address for the host on which the problem occurred. It can be used to supplement the value of the `ComponentHost`property. The ComponentHostAddress is required if the `ComponentHost` property is not specified.
`<mc-location>`	`<location>`	Location at which the source component resides. This slot provides additional contextual information for the event.
`<mc-object-uri>`	`<componentURI>`	Address used to cross-launch directly to the component
`<mc-object>`	`<componentCaption>`	Sub-component of the host to which the event is related For example, it could be the name of the disk on which the event is reporting the problem.
`<mc-object-class>`	`<componentType>`	Identifies the class of an object If the object class cannot be derived from the original event, it must be filled in during enrichment.
`<mc-object-owner>`	`<componentOwner>`	Identifies the owner of the source component
`<mc-tool-address>`	`<componentHostAddress>`	The network address of the Reporter	ReporterData The reporter component only reports the event, and may not be the source of the event. ReporterData is required if the reporter component and the event source component are different. If not specified, the reporter and the source are considered to be the same.
`<mc-tool-uri>`	`<componentURI>`	The address used to cross-launch directly to the Reporter
`<mc-tool>`	`<componentCaption>`	For BMC Event Management events, `mc_tool`represents any event that is within any value that can further distinguish where the event is coming from within an `mc_tool_class` value. For example, for the NT Event Log Adapter, `mc_tool` could be the name of the log to which the incident was logged. If the `mc_tool_class` is a management tool (such as PATROL or ITO), then the `mc_tool` must be a string that enables an action on the event to initiate a communication in context with the `mc_tool`. For Infrastructure Management events, `mc_tool`contains the fully qualified DNS name of the BMC TrueSight Infrastructure Management Server.
`<mc-tool-class>`	`<componentType>`	For BMC Event Management, `mc_tool_class` represents a user-defined categorization of the tool reporting the event. For example, the `mc_tool_class` value for an SNMP adapter could be `SNMP`. And the `mc_tool_class` value for an NT Event Log Adapter might be `NT_EVLOG`. For Infrastructure Management events, `mc_tool_class` contains the string PNET.
`<mc-tool-time>`	`<eventTime>`	Date and time (as a timestamp) when the event report was created. The ReportTime value must be read as using the time scale Coordinated Universal Time (UTC) unless a particular time zone or the value Z (Zulu time for UTC) is otherwise specified.
`<mc-tool-rule>`	`<eventType>`	Name of the adapter or integration mapping rule that generated the event
`<mc-tool-source>`	`<reporterEventId>`	Globally unique identifier of the event at the reporter. When an event is propagated, the receiving cell gets a new local identifier, but the event keeps the old universal identifier `mc_ueid`.
`<mc-tool-sev>`	`<eventSeverity>`	Severity as given by `mc_tool.` Represents the perceived severity of the status the event is describing with respect to the reporter the event. Current values are as follows: UNKNOWN OK INFO WARNING MINOR MAJOR CRITICAL
`<mc-tool-suggestion>`	`<eventSuggestion>`	The Reporter's suggested solution to the problem posed by the event. This is similar to expert advice information that other applications provide.
`<mc-parameter>`	`<metricName>`	Name of the metric or property that went into alarm or that triggered the event	MetricsData
`<mc-parameter-value>`	`<metricValue>`	Actual value of the parameter
`<mc-parameter-unit>`	`<metricValueUnit>`	Unit description of the metric
`<mc-parameter-threshold>`	`{<metricThreshold>`	Threshold value that was crossed to cause the generation of the event
`<itsm-incident-id>`	`<itsm-incident-id>`	Incident ID in associated ITSM application.	ExtendedData Contains all event attributes that are not mapped to any specific class.

Common event model property groups

The CEM format must contain the following property groups.

Metadata

Contains basic information about the event, including the event class, event ID and status.

Sample <metadata> property

<metaData>
  <eventClass>PATROL_EV</eventClass>
  <eventId>abc.bmc.com@192.168.0.1:3181.1524160356.2285</eventId>
  <reportTimeEpoch>0</reportTimeEpoch>
  <eventToCIAssociationType>IMPACTING</eventToCIAssociationType>
  <propagationHistory>[bao1:19025]</propagationHistory>
</metaData>

Situation data

Contains detailed information about the event, which includes the ITIL category, sub-category, the time when the event occurred, the severity of the event and so on. The properties in the <situationData> group do not contain information enough to determine the exact event type that is received in TrueSight Infrastructure Management. Therefore, the event is enriched in the main cell to add another property, called <eo-event-type> in the <extendedData> group to help identify the specific event type.

The <situationData> group includes the following attributes:

Property Description

<situationCategory>

Specifies the enumerations in TrueSight Infrastructure Management

Enriched in the main cell (in TrueSight Infrastructure Management) to help TSO event orchestration workflow framework to be generic. If the framework is generic, new use cases for new event types can be added without the need for modifying the framework workflow.

<situationSubCategory>

Specifies the enumerations in TrueSight Infrastructure Management

Enriched in the main cell (in TrueSight Infrastructure Management) to help event orchestration workflow framework to be generic.

<service>

Stores the name of the service in the target system.

In the case of ServiceDown use case, it can be a service name or a short form of a process that is being monitored.

Sample <situationData> property group

<situationData>
   <situationCategory>AVAILABILITY_MANAGEMENT</situationCategory>
   <situationSubCategory>APPLICATION</situationSubCategory>
   <situationTime>1524160373</situationTime>
   <severity>CRITICAL</severity>
   <situationTimeEpoch>0</situationTimeEpoch>
   <service>repo</service>
   <messageSummary>ProcessCount for NUK_Process/repo is in ALARM current value is 0.000000</messageSummary>
 </situationData>

Source data

The source data property group contains properties related to a component where the event has occurred. Properties such as the host name and the host address of the source of the event are displayed.

Sample <sourceData> property group

<sourceData>
  <componentHost>abcd.bmc.com</componentHost>
  <componentHostAddress>192.168.0.1</componentHostAddress>
  <location />
  <componentCaption>repo</componentCaption>
  <componentType>NUK_Process</componentType>
</sourceData>

Reporter data

The reporter data property group contains the properties related to the component that has reported the event.

Note

If the <reporterData> is not included in the event, then it is assumed that the source component (where the event took place) and the reporter component (which reported the event) is the same.

The reporter data group includes the following attributes:

Property Description

<componentCaption> Specifies the host address of the component that has reported the event.

<componentType>

Specifies the type of the component that has reported the event.

For example, PATROL agent.

<eventTime>

Specifies the time when the event occurred (in an epoch time format).

Sample <reporterData> property group

<reporterData>
  <componentCaption>abc.bmc.com:3181</componentCaption>
  <componentType>PATROL Agent</componentType>
  <eventTime>1524160373</eventTime>
</reporterData>

Metrics data

When a PATROL Agent reports an event, threshold values are stored in the metrics section. The properties include metric name, metric value, metric value unit, and metric threshold.

Sample <metricsData> property group

<metricsData>
  <metricName>ProcessCount</metricName>
  <metricValue>0.000000</metricValue>
</metricsData>

Extended data

Contains information about the event that is not captured in the property groups described in the earlier section.

The extended data group includes the following attributes:

Property	Description
`<nameValueList>`	Contains a list of `<nameValue>` properties.
`<nameValue>`	Contains `<name>` and `<value>` pairs for the properties of an event.
`<name>`	Specifies the name of the property for the event. For example, `eo-event-type`.
`<value>`	Specifies the value for the corresponding `<name>` property. For example, `ServiceDown`.

Sample <extendedData> property group

<extendedData>
  <nameValueList>
    <nameValue>
      <name>cell-name</name>
      <value>bao1</value>
    </nameValue>
    <nameValue>
      <name>date</name>
      <value>20180419232253.000000+330</value>
    </nameValue>
    <nameValue>
      <name>p-origin</name>
      <value>NUK_Process.repo.ProcessCount</value>
    </nameValue>
    <nameValue>
      <name>mc-origin-sev</name>
      <value>4</value>
    </nameValue>
    <nameValue>
      <name>event-identification-type</name>
      <value>Internal</value>
    </nameValue>
    <nameValue>
      <name>p-owner</name>
      <value>Patrol</value>
    </nameValue>
    <nameValue>
      <name>p-class</name>
      <value>11</value>
    </nameValue>
    <nameValue>
      <name>mc-modhist</name>
      <value>[bao1]</value>
    </nameValue>
    <nameValue>
      <name>p-expectancy</name>
      <value>STORED</value>
    </nameValue>
    <nameValue>
      <name>p-instance</name>
      <value>repo</value>
    </nameValue>
    <nameValue>
      <name>mc-origin-key</name>
      <value>2285</value>
    </nameValue>
    <nameValue>
      <name>p-source-id</name>
      <value>2285</value>
    </nameValue>
    <nameValue>
      <name>date-reception</name>
      <value>1524160373</value>
    </nameValue>
    <nameValue>
      <name>p-agent</name>
      <value>abc.bmc.com</value>
    </nameValue>
    <nameValue>
      <name>p-handler</name>
      <value>Patrol</value>
    </nameValue>
    <nameValue>
      <name>p-agent-port</name>
      <value>3181</value>
    </nameValue>
    <nameValue>
      <name>p-agent-version</name>
      <value>V11.0.00i</value>
    </nameValue>
    <nameValue>
      <name>eo-event-type</name>
      <value>ServiceDown</value>
    </nameValue>
    <nameValue>
      <name>p-type</name>
      <value>ALARM</value>
    </nameValue>
    <nameValue>
      <name>mc-local-reception-time</name>
      <value>1524160400</value>
    </nameValue>
    <nameValue>
      <name>mc-origin-class</name>
      <value>PATROL Agent</value>
    </nameValue>
    <nameValue>
      <name>p-args</name>
      <value>[Alarm #1, global, ProcessCount, NUK_Process.repo, 0, 0.00, 0]</value>
    </nameValue>
    <nameValue>
      <name>p-catalog</name>
      <value>0</value>
    </nameValue>
    <nameValue>
      <name>mc-arrival-time</name>
      <value>1524160400</value>
    </nameValue>
    <nameValue>
      <name>p-status</name>
      <value>OPEN</value>
    </nameValue>
    <nameValue>
      <name>p-application</name>
      <value>NUK_Process</value>
    </nameValue>
    <nameValue>
      <name>mc-origin</name>
      <value>abc.bmc.com:3181</value>
    </nameValue>
    <nameValue>
      <name>mc-date-modification</name>
      <value>1524160400</value>
    </nameValue>
    <nameValue>
      <name>mc-host-class</name>
      <value>LinuxRed Hat Enterprise Linux Server release 6.9 (Santiago)</value>
    </nameValue>
    <nameValue>
      <name>p-agent-address</name>
      <value>192.168.0.1</value>
    </nameValue>
    <nameValue>
      <name>p-node</name>
      <value>abc.bmc.com</value>
    </nameValue>
    <nameValue>
      <name>itsm-incident-id</name>
      <value>INC000000000453</value>
    </nameValue>
  </nameValueList>
</extendedData>

Where to go from here

After understanding the CEM format and how it works, you can now start using the run book. For more information, see Using the Event Orchestration run book.

Common Event Model for Event Orchestration

Sample event

Common Event Model mappings

Common event model property groups

Metadata

Situation data

Source data

Reporter data

Metrics data

Extended data

Where to go from here

Comments