Basic correlation components
The BMC Defender Server provides four main components. Together, these components can accomplish virtually any correlation you require. These components are accessed by the navigation tabs of the web interface, beneath the top-level Correlation tab. These components are atomic in nature, that is, they cannot be further subdivided, they do not overlap each other in function, and they can be used as building blocks to create higher and more complex functions. Correlation components are defined as follows:
- Thread component—This is the most basic correlation component of the system, accessed using the Correlation > Threads screen of the system. Threads partition raw message data into categories based upon simple or complex match patterns. Each thread consists of a list of received messages that share one or more common aspects, for example, they all might contain a specific keyword, come from a specific device, and might have occurred during a particular time.
- Alert component—This component, accessed using the Correlation > Alerts screen, counts the number of messages received by a thread and generates a new system message when thresholds exceeds. The new message is fed back into the main message stream (like any other message) where it can be further correlated. The message is user-defined and describes some special condition, such as too many or too few expected events during a time interval.
- Trigger component—This component is not necessarily required to implement a particular correlation objective and is often omitted by users as part of their correlation strategy. However, when a Trigger is needed, there is no substitute available. Triggers can be thought of as a message latches, that retain message information, and enable the gathering of future messages. Triggers are accessed using the Correlation > Triggers screen of the system. Each Trigger provides a match pattern, an expiration time, and an optional trigger clear pattern. Triggers are used to establish message context (when needed) such as collecting information when a node starts, or when a specific sequence of messages (such as a data dump) is started.
Action component—This component, accessed using the Correlation > Actions screen, is similar to the Thread component, except this component can take arbitrary action on a message, such as sending a notification, updating a database, or opening a ticket on the system. Additionally, Actions can extend to the BMC Defender Server with high-level correlation functions. Actions can also take automatic action when correlation patterns are discovered.
Related topic