Skip to Content
Information

This site will undergo a brief period of maintenance on Friday, 18 December at 12:30 AM Central/12:00 PM IST. During a 30 minute window, site availability may be intermittent.

Architecture

There are various ways of illustrating the operation of the correlation process, depending on your viewpoint. One simplified block diagram of the BMC Defender Server operation and message dataflow, depicting the relationship of the main components, is shown in the following figure.

image2019-3-21_10-39-24.png

This is how the correlation process works:

  1. Raw messages from network devices are input into the BMC Defender Server system. These include messages from UNIX based devices, network routers, Windows event logs, and application programs.
  2. Input messages are optionally filtered and overridden. You can filter messages based upon content, time of day, device, facility, or any combination of these.
  3. Filtered messages are then applied to the various correlation components. Each correlation component maintains a count of received messages.
  4. The Triggers component provides special application by enabling or disabling threads and actions based on the message content. This allows correlation based on the content of the current message as well as previous messages.
  5. The Threads component maintains a count of executions and a list of received messages that have matched simple or complex patterns and specific trigger states. These messages are entered into various message catalogs, where each catalog is a list of messages corresponding to a specific match pattern.
  6. The Actions component operates in a fashion similar to the Threads component, except that the former can launch external programs based on simple or complex match patterns and specific trigger states.
  7. The Alerts facility monitors the trigger, thread and action system counters (as well as other counters) and generates alerts and tickets when thresholds are exceeded.
  8. The alerts are fed back into the original stream through standard syslog protocol for further filtering and correlation. Alert messages are just other syslog messages that have their content completely supplied and controlled by the BMC Defender Server user.
  9. The Tickets component is a principle output of the system (as is the Message Catalog maintained by the thread component). These tickets consist of actionable events.

Related topic

Key-concepts


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender SIEM Correlation Server 6.0