New Post has been published on Event Enrichment.Org - http://www.eventenrichment.org/fundamentals-event-enrichment-event-format/
New Post has been published on http://www.eventenrichment.org/fundamentals-event-enrichment-event-format/
Fundamentals of Event Enrichment: The Event Format
Flavors of Event Enrichment
Event Enrichment can be implemented in a variety of ways. The most basic method of implementing Event Enrichment is the inclusion of text fields into existing events. This method enriches the event with information (escalation and remediation) critical to NOC operations.
Complex Enrichments
To implement a more advanced form of Event Enrichment, a new requirement is necessary; the common event format (CEF). A CEF is important in order to enable complex policies that span hosts and services. Without a common event format, normalizing the data from multiple systems is a difficult undertaking.
For example, assume that you receive an event from a load balancer stating that a web server has dropped out of rotation. Shortly thereafter, you receive a host message stating that the same web server is consuming all of the available CPU.
Correlating these two events would allow you to provide an enrichment that would tell the NOC / On-Call Engineer to check the stack’s response time and determine the severity of the web server failure.
In more advanced environments, an enrichment policy could first conduct a query of the stack’s response time, and then update the event accordingly. Once the event was enriched, it would be sent along to the NOC.
Event Enrichment Common Event Format (EECEF)
Here at Event Enrichment.org, we elected to build on the great work IBM did with their Common Base Event. The following is our event format:
Name JSON attr Desc Type Example Rules Version version Identifies the event version String 1.0 or 2.1 Optional – MaxLength=16 Local Instance Id local_instance_id Unique ID of the event in the native system of origination String 999 or a3b9c356 Required MaxLength=128 Creation Time creation_time Date and Time when the event was created / recognized by the native system of origination DateTime 2013-07-31T13:03:00-08:00 or 2013-07-31T21:03:00Z Required ISO 8601 format Last Time last_time Date and Time when the events was last recognized by the native system of origination DateTime 2013-07-31T13:03:00-08:00 or 2013-07-31T21:03:00Z Optional ISO 8601 format see commments below Severity severity The severity of the event Enum: info warning error critical info or error Optional Priority priority The priority of the event Enum: none low medium high none or high Optional Message msg The text message of the event String The eth1 interface is down Optional MaxLength=1024 Message Id msg_id Error code or other ID that uniquely identifies a msg type/class String 9009 Optional MaxLength=256 Event Class event_class The class/type of the event String Cisco Switch or unknown Required MaxLength=128 Source Location source_location The FQDN or IP of the source machine String hostA.x.com or 199.181.164.1 Required MaxLength=256 Source Component source_component Component of the source machine that is responsible for the event String Apache or eth1 Required MaxLength=256 Reporter Location reporter_location The FQDN or IP of the reporting machine String hostB.x.com or 199.181.164.2 Optional (depends on Reporter Component) MaxLength=256 Reporter Component reporter_component Component of the reporting machine that is responsible for the event String Zenoss or Nagios Optional (depends on Reporter Location) MaxLength=256 Repeat Count repeat_count Number of times the event was repeated Integer null or 0 or 999 Optional
The advantages of a common event format are substantial. When events from various sources are normalized into one common format, the ability to correlate events, and to create policies based on events from multiple sources, is considerably enhanced. More normalized events from more systems equals better and better visibility into the status of your IT infrastructure and further decreases in Mean Time To Repair (MTTR).
How are you handling Event Enrichment today?










