From: Rick C. <ca...@co...> - 2001-03-30 20:12:30
|
I wanted to second Fred's petition for looking more seriously at sec.pl, a "simple" event correlation tool in perl. I've looked a little more closely at it, and believe it deserves consideration. The author developed it with platform indepedence in mind. I am currently investigating it more closely for possible use in the event correlation engine. (BTW: anyone is open to suggestions here. I am cross-posting this to the events list in hopes of moving the correlation discussion there.) I thought the list would be interested in the author's answers to some questions I asked him: >From ris...@ey... Fri Mar 30 10:02:30 2001 Date: Fri, 30 Mar 2001 12:35:09 +0200 From: Risto Vaarandi <ris...@ey...> To: Rick Casey <ca...@co...> Cc: ri...@ne... Subject: Re: sec.pl Rick Casey wrote: > > Mr. Vaarandi, hello, > > I am writing you about Sec - simple event correlator. The webpage for > it was recently posting to the mailing list at opennms.org, an open > source project for network management. > > I have not yet tried to run it, but I am curious about the situation > that lead to its development. It certainly looks like a lot of work. Can > I ask what caused you to develop it, and if you use it now? I am working in Union Bank of Estonia as network management engineer, and my job is to develop and maintain bank's network management system. In 1999 I started for looking for a freeware event correlation tool, and for my surprise failed to find anything. All software packages that were available were commercial, and they all had following disadvantages: * high price, * most of them were dependent on particular network management platform (i.e. you also have to purchase certain network management platform to use them) * most of them are also dependent on operating system platform Good example of such tool is HP ECS. It would have been natural choice since the bank uses HP OpenView, but ECS is quite expensive. It is also platform dependent - last time I contacted HP support center they told me that ECS currently works only on HPUX, Solaris and WinNT. You are right that developing it was a lot of work, but since I used perl, development process was much faster than with C, for instance. Using perl also means that the program you write will run on almost every modern UNIX variant. Why I did this? First because I could not find any freeware event correlation utility on Internet. Since commercial tools were way too expensive, there were simply no choices left. Second, since I am also a phd student in network management, I wanted to try if the utility will also be useful for others. There are many articles about event correlation in journals and conference proceedings, but no one has ever put any software into public domain. All you have are articles were people claim that "our approach is best" ;))) > > The reason I ask is I'm a grad student working on a thesis in > telecom, working on developing an event correlator. So, if you have > incorporated this tool, which looks quite powerful, into working with an > actual network management environment, I'd be interested in your > description of that. Yes, I have, I am using it with HP OpenView ITO. First and simpler way to use it is to monitor important application logfiles with it (i.e. to do event correlation at "event source"). Second way is full integration - basicly you have to write a small program that reads events from a certain point in logical event stream, and writes them to a named pipe (sec will wait on the other end of the pipe and read those events). Example program for HP OpenView is included in sec package. OpenView has good API for reading and writing from logical event streams, and I believe that this is also true for Tivoli and other competitors. If you are looking for case study of integration, I have written an article how sec is used in my company. Unfortunately this article is unpublished yet. I hope to find a conference that will accept it in the near future ;)) best regards, risto On Fri, 23 Mar 2001, Reimer, Fred wrote: > I don't know if everyone else subscribed to opennms lists are also on the > ovforum list, but this is a quite interesting project. It also sounds like > it might fit in with our current correlation needs. I know it's Perl, but > it may be possible to convert it to Java. I don't give this much hope > though, as I don't know of any Java classes that implement the regular > expression and variable interpolation as effectively as Perl. > > So, assuming for a moment without looking at sec-1.0 in detail that it fits > everything that we need, would there be any major opposition to use this as > the basis for the OpenNMS event correlation engine, or does it just have to > be Java? If we could define the interface strictly enough then > theoretically we could use this and drop in a Java replacement if/when that > is ever completed. I don't know of a simpler interface than sending a > stream of text to the standard input (or other file handle) of a process. > > Just some thoughts... > > Fred > > > > -----Original Message----- > > From: Risto Vaarandi [mailto:ri...@ey...] > > Sent: Friday, March 23, 2001 4:01 PM > > To: ovforum: the OpenView Forum mail list for network management > > Subject: [ovforum] event correlation tool > > > > > > hello, > > > > some time ago I posted a question about freeware event > > correlation tools > > to several lists and newsgroups, but no-one seemed to know > > any such tool. > > Since I had to do event correlation on Linux but could not find > > any relevant utility, I decided to implement one myself. It > > is written in > > perl and should also run on other unix platforms than linux. > > The package can be downloaded from http://kodu.neti.ee/~risto/sec > > (since English is not my first language, some of you might find the > > documentation part not very fluent ;) > > If you have any ideas and suggestions about the tool, send me > > an e-mail. > > > > best regards, > > risto > > > > > > > > This list server service is provided by OpenView Forum International, > > the independent organization of OpenView users, developers, > > and systems integrators. > > > > Join today at http://www.ovforum.org/join > > > > Mail list subscribe/unsubscribe information, and a link to > > the list archives, can be found at > http://www.ovforum.org/tech/reflectordes.cfm > _______________________________________________ > discuss mailing list (di...@op...) > To subscribe, unsubscribe, or change your list options, go to: > http://www.opennms.org/mailman/listinfo/discuss > |