Technote (FAQ)
Question
How are events received from a Distributed Correlation Server processed by RM Event Server?
Answer
If raw sensor events are sent to a Distributed Correlation Server first, then the First-level correlation happens at the Distributed Correlation Server. After doing first level correlation, the DC Server creates Incident events and also sets the following attributes for each raw sensor event:
rm_CorrelatedByAgent = <hostname or IP of the DC server>
rm_AgentNormalized = true
Now, even if these raw sensor events are forwarded to the RM Agent on the Event Server, the Agent will know that these events have already been correlated by the DC Server. Hence it will simply pass on these events to TEC without any further correlation.
As far as Incident events generated by DC Server are concerned, the RM Agent on Event Server will not process Incident events. It simply sends it to the "Incident_Sender" which passes these events to TEC.
So, first-level correlation is always done by the first RM Agent that runs a correlation engine. It is either a DC Server or an Event Server.
Product Alias/Synonym
RM
ITRM
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.