Basic correlation components

BMC Defender Server provides the following main components to help you accomplish almost any correlation you require. Access the components under the Correlation and Alerts tabs of the web interface.

Related topic

Key-concepts

The components are atomic in nature, that is, they cannot be further subdivided, they do not overlap each other in function, and they can be used as building blocks to create higher and more complex functions.

  • Threads—Threads are the most basic correlation component of the system. Threads partition raw message data into categories based upon simple or complex match patterns. Each thread consists of a list of received messages that share one or more common aspects, for example, they all might contain a specific keyword, come from a specific device, and might have occurred during a particular time. Accessed the component under the Correlation > Threads tab.
  • Triggers—Triggers are not required to implement a particular correlation objective and are often omitted as part of a correlation strategy. You can think of triggers as message latches that retain message information and enable the gathering of future messages. Each trigger provides a match pattern, an expiration time, and an optional trigger clear pattern. Triggers are used to establish message context (when needed) such as collecting information when a node starts, or when a specific sequence of messages (such as a data dump) is started. Accessed the component under the Correlation > Triggers tab.

  • Actions—Actions are similar to the threads component, except this component can take arbitrary action on a message, such as sending a notification, updating a database, or opening a ticket on the system. Additionally, actions can extend to BMC Defender Server with high-level correlation functions. Actions can also take automatic action when correlation patterns are discovered. Accessed the component under the Correlation > Actions tab.

    Important

    The action component, while not necessary to achieve any particular type of correlation, can sometimes reduce the complexity of correlation rules through user-written programs.

  • Alerts—This component counts the number of messages received by a thread and generates a new system message when thresholds exceeds. The new message is fed back into the main message stream (like any other message) where it can be further correlated. The message is user-defined and describes some special condition, such as too many or too few expected events during a time interval. Accessed the component and features under the Alerts tab.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*