ECA SQL: A Practical Event Correlation Approach Guangtian Liu, Michael Russina SBC Technology Resour

1
ECA SQL A Practical Event Correlation
ApproachGuangtian Liu, Michael RussinaSBC
Technology Resource, Inc.Communication
Technology Proceedings, 2000. WCC - ICCT 2000.
International Conference

• 2007.02.07
• Son Byung Kook

2
Introduction

• Background
• Design Principle
• ECA Model
• PECL
• PECS

3
Background

• Management System
• Rely on various management agent
• Event Storm
• The large volume of data
• Very hard to quickly figure out root caused of
  these event
• Event Correlation
• One of the central techniques in managing
• Can be used in many other mission-critical
  application
• Air traffic control, patient-care monitoring

4
Background

• Model-based, FSM-based, composite-event-based
• Ignore or fail to address some practical issues

Need to new language and system
5
Design Principle

• Simple input interface
• Add certain correlation rules
• Easy data integration
• Use other type of information
• Network topology, directory information
• Multiple execution modes
• Need to choose different execution mode
• Real-time response
• Some rules be executed periodically

6
ECA Model

• Operation flow
• Certain rule happen
• Check the condition
• Pre-defined correlation rules are triggered
• ECA Rule
• WHEN E
• IF C
• DO A

Reactive behavior can be best described with ECA
Rule!
7
PECL

• Practical Event Correlation Language
• Consider event-triggering mechanism
• Use ECA model
• SQL
• Most information are collected and stored in
  relational database
• Many management system use those information
• Use in CONDITION part of correlation rules
• Defined in SQL syntax
• To involve different management data

8
PECL

• BNF Definition

9
PECL

• Example
• Event Suppression Rule

Description Suppress the events of same
type occurred within a 1-minute interval into one
event.   PECL Rule Specification rule-start
rule-name event-suppression type
event-driven condition sql-start
select yes from events where
EvtKey!EvtKey and EvtTypeEvtType
and Occurrence (1/1440) gt to_date(--date(Occu
rrence), YYYY-MM-DD HH24M1SSJ))O
sql-end action exec-sql delete
from events where EvtKeyEvtKey rule-end
10
PECS

• Practical Event Correlation System
• prototype

11
PECS

• Operation
• Rule Parsing and compilation
• Rule Parser and Compiler
• PECL rule is parsed and then complied
• Event Correlation
• Event receivers and Execution Engine
• Receive from event sources
• Translate it into the format for correlation
  engine
• Insert the event in to the event database

12
PECS

• Operation
• Event Presentation
• Two windows
• Display messages that received the event sources
• Display events that generated as the results of
  correlation
• Pop-up window
• For a new alert event

13
Performance Issues

• Bottleneck
• When SQL engine used
• The number of SQL queries triggered within a
  short time
• Complexity for SQL queries
• Multiple join operation
• The size of event database
• How to improve
• Use filtering conditions to filter out
  unnecessary events
• To avoid trigger the SQL queries
• Fine tune databases to improve the SQL query
  performance
• Avoid use expensive operation
• Join in the SQL queries

14
Conclusion

• Present a practical event correlation approach
• Define correlation rules
• Use ECA model SQL language for defining
• Use the SQL in condition part of ECA model
• Can use various data source
• Database, network topology, directory information