Defining new correlation threads

One of the main purposes of BMC Defender Server is to organize data into threads. This is one type of correlation available and is very simple to implement. BMC Defender Server comes predefined with a variety of useful correlation threads that are generic enough to use without modification. You can (and typically it) creates their own correlation threads, pinning these threads to the top for easy reference, and creating alerts for these threads that open tickets on the system.

BMC Defender Server threads are catalogs of messages that are related by some characteristic, such as a common keyword, device name or group, time, facility code, severity code, or some other message characteristic. For instance, you might be specifically interested in data of a particular type generated by a particular device or group. The procedure for creating a thread is as follows:

  1. Log on to the BMC Defender Server system and click the Correlation > Threads tab at the top of the screen. This displays a list of current threads on the system. You might sort these threads, or click thread titles to view messages associated with these threads.
  2. To add a new thread, click the Wizard option in the upper right of the screen. This starts the Add New Thread wizard, that guides you through the process of adding a new thread to the system. (More experienced users might simply click the AddNew option to configure a new thread.)
  3. The Add New Thread wizard queries you for the thread title that appears on the top level Threads screen and other locations within BMC Defender Server. A descriptive title for the thread should be provided.
  4. The Add New Thread wizard queries you for basic qualifiers, such as the IP address, message severity, and time range. Each message received by BMC Defender Server is compared to these values. If a match occurs, the correlation process continues. By default, the default qualifiers match all received messages.
  5. The Add New Thread wizard queries you for a match expression. To get started, you can specify any keyword, phrase, wildcard, or logical combination thereof. Each message received by BMC Defender Server, that matches the qualifiers of Step 4 (if any) is compared to this match expression. If a match occurs, the message is added to the thread.
  6. Finish the wizard. The thread title specified in step 3 appears at the top of the list and is pinned. You can edit the thread using the Edit option, including unpinning the thread if so desired.
  7. As a final step, you can Regenerate the catalog that  populates the thread with data. (By default, if the thread is not regenerated, only new messages are added to the thread.) You can click catalog title hyperlink and then click Regenerate Thread at the bottom of the screen. Confirm to execute a background process that scans recently received messages and add them to the thread. This process can take several minutes.

If you regenerate the thread, as described in Step 7, BMC Defender Server launches a background process that scans all recent messages to some limit you specify. All messages that match the thread specifications are entered into the catalog. While the thread is regenerating, the status line indicates the progress of the operation. You can leave the screen, and later return to see the progress of the operation or see what messages have been entered into the thread catalog.

As an alternative to regenerating the thread, you can simply check back to see what new messages have been collected for the thread.

A description of the advanced features of threads (such as the ability to specify a trigger qualifier, and search thread data) is provided in Correlating-messages-into-groups-and-patterns, and in other locations in this section.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*