Generic event correlation

Generic event correlation allows you to create event containers that correspond to incidents in networks and systems so you can determine the priority of the problems to be worked. The feature creates a one-to-one relationship between incidents and event containers so that first line operators can create trouble tickets from the head container events without duplication.

Generic event correlation consists of the following stages:

  1. Pre-classification: This consists of assigning to each alarm a generic alarm type and defining its scope. It is achieved by adding the rules files supplied with the Probe Extension Package to the probe's rules file.
  2. Containerization: This consists of assigning alarms to containers headed by a synthetic alarm. The containers retain the alarm's diagnostic information and enable easy access to the events grouped within the container. It is achieved by Netcool/OMNIbus automations.
  3. Probable cause and impact analysis: This consists of setting the probable cause and impact of each alarm. For each alarm, the probable cause is determined by considering the highest weighted cause and impact from all the alarm's children events. It is achieved by Netcool/OMNIbus automations.
  4. Presentation: This consists of displaying the event correlation information for a given alarm using the Web GUI Event Tables relationships feature.

Generic event correlation is currently available for the following systems:

  • Alcatel-Lucent 5620 SAM v13
  • Nokia-Siemens NMS2000
  • Nokia-Siemens NetAct

Requirements

The generic event correlation feature has the following requirements:
  • Correlation trigger. This is supplied by the following SQL files released with Netcool/OMNIbus V8.1 FP2:
    • $OMNIHOME/extensions/eventgrouping/ootb_event_grouping.sql
    • $OMNIHOME/extensions/eventgrouping/ootb_event_grouping_remove.sql

    The SQL files create the tables, additional columns in the alerts.status table, and automation triggers required to perform this functionality.

  • Generic Event Correlation rules files. These form a part of the Probe Extension Package.
  • Web GUI V8.1 for the creation of a Web GUI relationship whereby the Parent column is linked to the Identifier Key column.

Configuring the generic event correlation feature

To configure a probe to use the generic event correlation feature, follow these steps:

  1. Ensure you have followed the instructions in Extracting the Probe Extension Package and configuring a probe to use the additional rules.
  2. Install the ootb_event_grouping trigger if it is not already installed on your Netcool/OMNIbus deployment.
    Note: The SQL file is provided with Netcool/OMNIbus V8.1 FP2.
  3. Edit the probe's rules file to include at the end of it the new generic correlation rules file written for that probe. See the table in Extended rules for generic event correlation for a list of the generic correlation rules files that are available.
    Note: You can use Probe Rules Syntax Checker (nco_p_syntax) to verify the rules file syntax.
  4. In Web GUI, create a new relationship for generic event correlation using the following steps:
    1. On the Relationships tab, click the New relationship icon.
    2. Specify GenericParentChild as the Display Name for the new relationship.
    3. Select OMNIBUS in the Data Source field.
    4. Select ParentIdentifier in the Column field.
    5. Select Identifier in the Key Column field.
    6. Click Create Relationship.
  5. Copy the default view setting to create a new one so that you do not alter the default setting of the system using the following steps:
    1. Select Views from the Administration tab.
    2. Select Global Views.
    3. Select Default.
    4. Click the Copy View icon.
    5. Select the users who should have access to this view (for example, Admin user).
    6. Click OK.
  6. Assign this relationship to your new view using the following steps:
    1. Select the Relationships tab.
    2. Select GenericParentChild in the Relationship field.
    3. Click Save and Close
  7. Restart the probe or use the probe reload rules file utility if it has been enabled.
Now when you access the Event Viewer, it will display the following event details:
  • The correlation between each site parent and child grouped together under the SiteNameParent synthetic event.
  • The SiteNameParent synthetic events are further grouped under the ScopeIDParent synthetic events.
  • The Severity of each parent event is set to the highest severity of any of its child events.
  • The ScopeIdParent event (parent of all site parent events) Summary displays the number of sites affected.