Saturday, March 8, 2008

SCE Event Storm Rules

At this years Tivoli Technical User's Group Conference in Chicago, Jerry Saulman held an interesting session where the antendees split into groups and solved a complex problem.

Yuri (I hope you forgive me, but I can not remember your last name) provided some sample rules that he had written to handle event storms. Basicaly, if 10 events from the same host are recieved in a 30 second window then drop them after generating a new event. indicating a storm. To me this is not realy a storm, but more like a surge. This is an interesting problem with a solution that is not readily apparaent. The groups presented several possible solutions and I will admit the solution my group came up with was less than optimal ;-) After a little thought I came up with a working SCE implementation, too bad it was not in the class. ;-)A close approximation to the Prolog rules can be achieved with two SCE rules.

<rule id="surge.threshold" type="normal" directAccess="true"><threshold timeInterval="30000" thresholdCount="10"><cloneable attributeSet="hostname" /><action function="TECSummary" singleInstance="false"><parameters> <![CDATA[SET:msg=EVENT SURGE FROM HOST ]]> </parameters></action></threshold></rule><rule id="surge.reset" type="normal" directAccess="true"><resetOnMatch timeInterval="30000" tiggerMode="allEvents" randomOrder="false"><cloneable attributeSet="hostname" /><predicate>true</predicate><predicate> <![CDATA[ &hostname == &hostname@-1 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-2 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-3 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-4 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-5 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-6 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-7 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-8 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-9 ]]> </predicate></resetOnMatch></rule>

No comments: