Title: ECA SQL: A Practical Event Correlation Approach Guangtian Liu, Michael Russina SBC Technology Resour
1ECA SQL A Practical Event Correlation
ApproachGuangtian Liu, Michael RussinaSBC
Technology Resource, Inc.Communication
Technology Proceedings, 2000. WCC - ICCT 2000.
International Conference
- 2007.02.07
- Son Byung Kook
2Introduction
- Background
- Design Principle
- ECA Model
- PECL
- PECS
3Background
- Management System
- Rely on various management agent
- Event Storm
- The large volume of data
- Very hard to quickly figure out root caused of
these event - Event Correlation
- One of the central techniques in managing
- Can be used in many other mission-critical
application - Air traffic control, patient-care monitoring
4Background
- Model-based, FSM-based, composite-event-based
- Ignore or fail to address some practical issues
Need to new language and system
5Design Principle
- Simple input interface
- Add certain correlation rules
- Easy data integration
- Use other type of information
- Network topology, directory information
- Multiple execution modes
- Need to choose different execution mode
- Real-time response
- Some rules be executed periodically
6ECA Model
- Operation flow
- Certain rule happen
- Check the condition
- Pre-defined correlation rules are triggered
- ECA Rule
- WHEN E
- IF C
- DO A
Reactive behavior can be best described with ECA
Rule!
7PECL
- Practical Event Correlation Language
- Consider event-triggering mechanism
- Use ECA model
- SQL
- Most information are collected and stored in
relational database - Many management system use those information
- Use in CONDITION part of correlation rules
- Defined in SQL syntax
- To involve different management data
8PECL
9PECL
- Example
- Event Suppression Rule
Description Suppress the events of same
type occurred within a 1-minute interval into one
event. PECL Rule Specification rule-start
rule-name event-suppression type
event-driven condition sql-start
select yes from events where
EvtKey!EvtKey and EvtTypeEvtType
and Occurrence (1/1440) gt to_date(--date(Occu
rrence), YYYY-MM-DD HH24M1SSJ))O
sql-end action exec-sql delete
from events where EvtKeyEvtKey rule-end
10PECS
- Practical Event Correlation System
- prototype
11PECS
- Operation
- Rule Parsing and compilation
- Rule Parser and Compiler
- PECL rule is parsed and then complied
- Event Correlation
- Event receivers and Execution Engine
- Receive from event sources
- Translate it into the format for correlation
engine - Insert the event in to the event database
12PECS
- Operation
- Event Presentation
- Two windows
- Display messages that received the event sources
- Display events that generated as the results of
correlation - Pop-up window
- For a new alert event
13Performance Issues
- Bottleneck
- When SQL engine used
- The number of SQL queries triggered within a
short time - Complexity for SQL queries
- Multiple join operation
- The size of event database
- How to improve
- Use filtering conditions to filter out
unnecessary events - To avoid trigger the SQL queries
- Fine tune databases to improve the SQL query
performance - Avoid use expensive operation
- Join in the SQL queries
14Conclusion
- Present a practical event correlation approach
- Define correlation rules
- Use ECA model SQL language for defining
- Use the SQL in condition part of ECA model
- Can use various data source
- Database, network topology, directory information