Event enrichment

Event enrichment is the process by which Netcool®/Impact monitors an event source for new events, looks up information related to them in an external data source and then adds the information to them.

Event enrichment is the one of the most common, and valuable things that users achieve with Netcool/Impact.

To understand the value of event enrichment, you must first understand how Netcool probes work and some of their intrinsic limitations.

Netcool probes are runnable software components that you install on the devices that they monitor. Of probes and monitors, probes are the most common means for generating alerts in the Netcool event stream. Each probe has a rules file that specifies how the alert data is formatted and sent to the ObjectServer when certain activities or status levels on the device occur.

One characteristic of the probe rules file is that it is (essentially) static. This means that, once you install and configure the probe, the contents of the rules file rarely change. Not only is change rare, but changing the rules file on the fly to adjust to the constantly changing parameters of a network environment would be impossible. As a result, it is difficult to include dynamic information about the network in the contents of alerts generated by probes.

Another characteristic of the probes rules file is that, generally, it is best to use an identical copy of the file on every instance of a device that you have in your inventory. For example, if you have dozens of routers in your network, it is most likely that you want to use the same rules file for each device. This ensures that every probe reports activity or status information to the ObjectServer in the same way and eliminates any complications that might occur if each probe is configured differently. Because of this, however, the probes are not able to send alerts to the ObjectServer that contain information specific to the individual device, beyond a few basic parameters like the host name and IP address.

In addition to these limitations, the scope of alert data provided by a probe is generally restricted to information that directly describes the alert condition. The probe cannot provide additional information about how the condition affects the network as a whole, or perform any sort of analysis or correlation regarding the alert.

Although these limitations are primarily associated with probes, they exist to some degree with other Netcool components that generate alert data.

Event enrichment allows you to bypass these and other limitations by combining the event and data access features of Netcool/Impact. In an event enrichment scenario, Netcool/Impact "catches" new and updated alerts as they are sent to the ObjectServer, and then goes to one or more external data sources to correlate information in the alerts with business data. The Netcool/Impact policy language provides the means to intelligently determine which data in your environment is related to the alert and then to add that information to the alert on the fly.

The process of event enrichment can be configured to run completely in the background, so that the intervention of Netcool/Impact in the event flow is not noticeable to a network operator.

One simple example of event enrichment is an environment where you are managing a network of servers, each of which is used by a different department in the business. In this environment, you use the ping probe to monitor the uptime of the server systems. If a ping does not reach the target system, the probe sends an alert to the ObjectServer that says that the server is not reachable.

In an environment without Netcool/Impact, network operators would have to manually look up the business department associated with the server to deduce the priority of any incoming alert. They might also have to use a separate calendar or scheduling program to find the on-call administrator responsible for maintaining the system. With Netcool/Impact, you can "catch" each alert as it comes into the ObjectServer, look up the affected business department, and automatically adjust the severity of the alert accordingly.

In environments with a higher level of complexity and many network devices, systems, and applications, the need for event enrichment becomes more critical. This automated process can then be used to supplement Netcool alerts with a wide variety of topological, technical, contact, and other information.