Correlation server input and output

BMC Defender Server serves up correlation, similar to the way that a print server can serve up print jobs, or a web server can serve up web pages. Although BMC Defender Server has many other useful functions and applications, such as archiving of data, the correlation of data is the main purpose and intent of the program, at least as discussed in this section.

Unlike printouts or web pages, correlation is a somewhat a more abstract quantity. It is useful to discuss inputs and outputs to the server to explain what serving up correlation might constitute.

• Correlation Inputs—If we disregard the configuration files of the program as an input, we can say that the only inputs to BMC Defender Server are time-stamped messages. These messages represent arbitrary communications, such as error or status messages, informational messages, and also state messages and signals. The input is in the form of syslog data, where each message has a facility and severity associated with it, and various adapters exist (such as BMC Defender Agent for Windows and BMC Defender SNMP Trap Monitor adapter interface) that convert messages of other formats to syslog messages.

• Correlation Function—BMC Defender Server stores and archives these messages, but its main function is to look for certain relationships in these messages and take action when those relationships appear. The actions range from running arbitrary programs, the cataloging of data, and the opening of tickets.

• Correlation Outputs—BMC Defender Server produces reports and message catalogs as part of its tangible output. A more important and interesting output (at least within the context of this discussion) is an execute command, that runs arbitrary and varied programs to take action when items are correlated. The BMC Defender Server system can open tickets, send syslog messages and SNMP Traps, send an e-mail, and take corrective action when system faults occur. This re-enforces BMC Defender Server's server role as a stand-alone component that provides a highly interoperable service to an enterprise.

The output of BMC Defender Server, usually, is the execution of some action. In addition to the built-in actions of the program (such as opening Tickets) user actions are configurable in the Correlation > Actions screen. BMC Defender Server comes with a comprehensive list of action programs as part of its initial baseline, including programs to send an email, send SNMP Traps, update database items, or send other types of notifications.