Getting a Quick Start with NerveCenter - Where To Go from Here - Expanding on What You've Learned - Event Correlation -
Expanding on What You've Learned      Alarm Actions

Event Correlation

To create or customize behavior models, you need to understand event correlation. Event correlation can help you filter the amount of data generated by your network, allowing you to concentrate on important or critical events.

NerveCenter often detects many conditions before it finds a particular set of conditions that you have defined. By defining certain events and configuring how they are correlated, you can reduce network data and be informed only of those conditions that are paramount to you.

One simple method of correlating detected conditions is to search for the persistence of a problem. For example, you might want to know if an SNMP agent reports a solid link-down condition, as opposed to one that results from momentary network flutter. A finite state alarm might track this by firing a delayed-action trigger if the link-down condition that's detected remains for a certain period of time, for example three minutes. This delayed-action trigger then notifies you that the link is down. If a link-up message is received within that time, the alarm resets itself, and the trigger is not fired.

Another common type of event correlation is the identification of a set of conditions. For example, you may want to be notified when either a low-speed or a high-speed interface goes down. NerveCenter polls the SNMP agents on both types of routers and fires a trigger when either of the two sets of conditions is detected.

NerveCenter also enables you to correlate conditions by looking for sequences of conditions. For example, the downstream alarm suppression behavior model uses parent-child data to detect the following conditions:

• The node and its SNMP agents are up.
• The node is up, but its agent is down.
• The node is unreachable.
• The node is down.

For a tutorial on creating behavior models, refer to the book Learning How to Create Behavior Models. In addition, the Open NerveCenter: Downstream Alarm Suppression white paper contains information about the downstream alarm suppression behavior model.