Skip to Content

Multi-thread correlation processing

not applicable for siem for motorola and siem for nnt

(SPE2404)

You can configure BMC Defender Server to use multiple threads for correlation processing and handling. To minimize correlation delays and increase the overall system performance, we recommend that you configure the multi-thread correlation processing capability.

The following T-Log #N (CO-tlog_N.exe) processes enable multi-thread correlation processing:

Process name in the UI

Process name in Windows Task Manager

T-Log #1

CO-tlog_1.exe

T-Log #2

CO-tlog_2.exe

T-Log #3

CO-tlog_3.exe

T-Log #4

CO-tlog_4.exe

The persistently running T-Log #N processes furnish the main parallel processing functions of the software and are designated to process correlation threads only. You can assign a thread that might very actively process messages to one of the T-Log #N processes. The processes handle part of the processing of the system threads and correlation. To increase the system performance, you can assign these processes to different correlation threads as needed.  Alternately, the product's auto-configure wizard uses a proprietary algorithm to divide the workload.

You can use the Thread State / Affinity list on the Correlation > Threads > Edit tab to assign a thread to one of the four T-Log #N processes. This causes that program to take over the processing associated with the threading, alerting, and logging of event messages for that thread. The threads assigned to each T-Log #N process appear on the CorrelationThreadsView Thread GroupsAll Thread Groups tab under one of the following thread groups:

  • T-Log #1 Process
  • T-Log #2 Process
  • T-Log #3 Process
  • T-Log #4 Process

By using multi-thread correlation processing, you can perform the following:

  • Assign threads to TLOG processes running on the system individually.
  • Use Correlation > Config > T Log to perform group operations on threads.
  • Use the special T-Log wizard to automatically configure loading, assign thread affinities by match pattern, or assign thread affinities by thread group.
  • View assignments by drilling down into the edit screen of a thread.
  • View thread affinities using the View Groups link at the top of the Correlation > Threads screen.
  • View TLOG affinity assignments using the Audit link or the Statistics link at the bottom of the Correlation > Threads screen.

T-Log #N processes

The execution of the T-Log #N (CO-tlog_N.exe) processes is responsible for handling specific threading and alerting of the system. The processes operate transparently and take responsibility for threading, alerting, and ticketing, generally associated with the CO-catlog.exe process. Each process maintains its own statistics (viewable from the Statistics link at the bottom of the Threads screen).

The TLOG_N processes operate similar to the CO-catlog.exe program in the standard system with the exception that the thread does not support Match Trigger State directives; if you assign a thread with a Match Trigger State specification to a TLOG_N process, the trigger is not checked and a warning is displayed on the Edit screen for that thread.

Assign threads that use the Match Trigger directive to the default normal thread state or affinity. You can only assign threads that do not employ the Match Trigger function to one of the running TLOG_N processes. Select any of the TLOG values to immediately move the thread from the CO-catlog.exe program to the selected TLOG_N process.

Warning

Important

The Thread State / Affinity setting is available only on the Edit screen. The option is not available on the AddNew or SaveNew screens. If a thread is added to the system, it is always assigned a Normal affinity. Create the thread, then click Edit to modify the Thread State / Affinity settings to assign the thread to a TLOG_N process and CPU.

Additional notes

  • Once the TLOG processes are activated, counters and alerts that appear on the screen update approximately every ten seconds (different from the typical five second update used in the standard configuration). This reduces the inter-processing between these extra TLOG_N processes. Generally, this slower update speed is not noticeable.
  • You can only assign threads that do not use the Match Trigger State specification to a TLOG_N process. If you assign a thread with a Match Trigger specification to a TLOG_N process, a warning is displayed on the Edit screen indicating that the Match Trigger value is ignored.
  • An operator can view or modify the Thread State or Affinity setting of any existing correlation thread by drilling down into the edit screen of the thread and adjusting the setting. This moves the thread to the selected process within the next 10 seconds.
  • Any threads that have a Match Trigger State setting other than None must be managed by the normal affinity, by the standard CO-catlog.exe program. If you move a thread with a Match Trigger State other than None, then an error is displayed when the operator views the Edit screen, and the trigger state is ignored by the system until it is moved back to the normal state.
  • The operator can determine that threads are managed by which CO-tlog_N.exe processes by clicking the View Groups link at the top of the Correlation > Threads screen. This allows the operator to see the thread to TLOG assignments (as with other thread groups).
  • The operator can perform batch operation on threads using the Correlation > Config > T Log wizard screen that allows the operator to automatically distribute threads among the various TLOG processes, or select threads by match pattern or thread group. This assists with the configuration of the thread to TLOG assignments.

Where to go from here

You can use multi-thread correlation processing to perform the following operations:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender SIEM Correlation Server 6.2