Event Analysis

Terry Slattery
Principal Architect

We just announced the NetMRI Event Analysis system, which analyzes syslog and snmp trap events, and is pretty exciting (see the press release). Most syslog collectors provide forensic analysis (after the fact). Some organizations have created complex scripts to filter out the noise and identify important events.

NetMRI Event Analysis (NEA) allows us, and customers, to build analysis rules that identify the ‘needle in the haystack’ events that are important to your infrastructure. In one case, we had about 20MB of syslog data. Through our analysis, one event of interest was found. The rest were the regular noise of Frame Relay and VPN interfaces going up or down, edge switch ports going active and inactive, and other chatter that clutters log files.

We’re pre-loading the Event Analysis system with a number of events that our customers have told us are important to them. They include events like Cisco 6500 Pinnacle errors, line card failures, redundancy failures, routing protocol adjacency changes, etc. An interesting approach we have is that we can apply different analysis thresholds and severity levels based on the primary device group to which a device belongs. So an important LAN router or switch could have a higher priority for an interface transition than a WAN router that services a large number of noisy links.

So instead of syslog/trap logs being an after-the-fact analysis tool, NEA makes it something that can alert you to significant events occurring in the network out of mega- or giga-bytes of log data. That’s pretty cool!



Re-posted with Permission 

NetCraftsmen would like to acknowledge Infoblox for their permission to re-post this article which originally appeared in the Applied Infrastructure blog under http://www.infoblox.com/en/communities/blogs.html


Leave a Reply