2. Event Concepts

These are the primary concepts associated with Zenoss and its event monitoring system.

2.1. Event Life Cycle

The Zenoss Event Life Cycle is a very straightforward process. The first step of the life cycle is the creation of the event. The default state of the event is set to “New”. The event can then be Acknowledged, Suppressed or “dropped” with an Event class rule. From there, an event will be archived into the Event History database in one of four ways. The event can manually be put into the history database; it can be put into the database due to auto clear correlation (bad event happens, good event for the same thing happens, move bad event to history), an event class rule, and an inactive timeout.

Figure 10.1. Event Life Cycle

Event Life Cycle

2.2. De-duplication

If a single event is submitted multiple times for some reason, instead of the event clogging up the event log with hundreds or perhaps even thousands of events, an event counter is incremented. The matching is done through the event class. Additional matching event submissions do not generate more instances of that event in the event list, but that they only increased the event counter. This is important so that the occurrences of the same event occurrences do not create alert “chatter” in the time between when the event occurs and the time it takes you to acknowledge or correct the event.

Figure 10.2. De-duplication

De-duplication

2.3. Begin-End Correlation

An event enters the Event Life Cycle at the start of the event, and at the end of the event, it leaves the life cycle. If a positive event that corresponds to a negative event that has already been received, the associated negative event is cleared. This is done by matching several key data points in the events themselves.

Figure 10.3. Begin-End Correlation

Begin-End Correlation