Correlation rules and rule systems
The configuration data associated with a correlation component is commonly referred to as a correlation rule. (This term is used throughout this section.) A correlation rule is one or more configuration items associated with Threads, Alerts, Triggers, and Actions. Various correlation rules combine to form a correlation system. The atomic components of the correlation system can be wired in a variety of ways, including (but not limited to) the following:
- Syslog to thread connection—A thread can be used to count the number of received messages that meet specific criteria. As messages are received, they are compared to match expressions associated with each thread. If a match occurs, the thread counter is incremented.
- Thread to alert connection—A thread can be connected directly to an alert by setting one or more alert thresholds on a thread counter. The alert adds a threshold to a thread counter (or other counter) and when the threshold is violated, a syslog message is generated.
- Alert to thread connection—The output of an alert can be further correlated by a thread, so that a counter is incremented when one or more alerts are triggered. The alert message is simply another syslog message. Therefore, it can be threaded and counted in a fashion identical to any other syslog message.
- Alert to action connection—The output of an alert can be used to trigger the execution of an action program. The action program is triggered by a match expression applied to an incoming message. That message can be a normal syslog message, or the syslog message generated by the Alert component. Since you can define the alert messages and action keywords, this provides a high degree of control.
- Syslog to trigger connection—A trigger can be used to flag the occurrence of syslog messages that meets specific criteria. When a message is received, trigger is compared against a series of match expressions. If the expression is matched, the trigger value is either set (with an expiration time) or cleared. This provides a way of establishing a message context.
- Trigger to thread connection—A trigger can be used to qualify and gate the update of a trigger counter. Specifically, in addition to qualifying incoming messages by match expressions, the operator can specify a trigger name and state. The counter is only incremented if the trigger is set (or cleared) by a previously received message.
- Trigger to trigger connection—Combinations of trigger states can be used to generate alerts using the Patterns screen. By monitoring the state of various triggers, specific patterns of messages can be easily detected, such as when events A and B and C have recently occurred on the network. When patterns are detected, a syslog message is sent back to the system, where it can be threaded and counted in a fashion identical to any other syslog message.
- Trigger to action connection—A trigger can be used to qualify and gate the execution of an action program, the same as with a thread. The action is only executed if a specified trigger is set (or cleared) by a previously received message.
A more detailed matrix of connections is provided as follows:
Connect From \ To | Threads | Alerts | Triggers | Actions |
|---|---|---|---|---|
Threads | Alerts occur when specific thread count thresholds are exceeded. | |||
Alerts | Alert messages can be further correlated by threads. | Alerts can set and clear triggers. | Alerts can trigger action programs to be executed. | |
Triggers | Triggers can enable or disable thread counters | Alerts occur when specific trigger count thresholds are exceeded. | Combinations of triggers can send alerts. | Triggers can enable or disable execution of action programs. |
The preceding connections permit sophisticated correlation systems that consist of multiple threads, triggers, and alerts. All qualify the execution of an action program on the system. Additional connections (such as the trigger to alert connection) are also possible, and might be employed in certain situations.
Related topic