Advanced correlation using actions

One specific use of action programs is to further correlate data. The threads, triggers and alerts components can be used to create correlation rules to target a wide range of messages and applications. However, it is also possible to program a simple Action script that satisfies very obscure correlation objectives. 

This is a straightforward activity to accomplish. You write a Perl script (or other type of script) that accepts the message data from environmental variables established by the BMC Defender Server system. Your script executes when a message is received, possibly pre-qualified by a match expression or device or another parameter. The script performs the correlation activity, and then sends a syslog message back into the message stream. The actual syslog message is generated either by running the system\sendlog.exe program from the script, or by using a simple socket interface, such as that documented in the Resources section of the BMC Defender Server website.

The resulting syslog message is highly significant. It has been processed to accommodate a highly targeted objective. This syslog message subsequently gets handled by the other elements of the system like any other message, such as to run further actions, or to send additional alerts, or to open tickets on the system.