|
|
|
When a log matches the criteria, it is added to an Event Candidate. Event candidates let SmartEvent track logs until an event threshold is crossed, at which point an event is generated.
The logs can come from different log servers and be correlated in the same event.
The Event Candidate tracks logs until the criteria is matched (the criteria is the number of logs in a declared number of seconds).
Each Event Definition can have multiple event candidates, each of which keeps track of logs grouped by equivalent properties. In the figure above the logs that create the event candidate have a common source value. They are dropped, blocked or rejected by a Firewall. They are grouped together because the Event Definition is designed to detect this type of activity that originates from one source. Depending on the event declaration, if there is a grouping declaration on the source field, it will create a new event candidate.
When a log matches the event definition, but has properties different than those of the existing event candidates, a new event candidate is created. This event candidate is added to what can be thought of as the Event Candidate Pool.
By default, SmartEvent creates a new event candidate for a log with a different source.
To customize the default behavior:
The Edit Event Definition window opens.
To illustrate more, an event defined detects a high rate of blocked connections. SmartEvent tracks the number of blocked connections for each Firewall, and the logs of the blocked traffic at each Firewall forms an event candidate. When the threshold of blocked connection logs from a Firewall is surpassed, that Firewall event candidate becomes an event. While this Event Definition creates one event candidate for each Firewall monitored, other Event Definitions can create many more.
The Event Candidate Pool is a dynamic environment, with new logs added and older logs discarded when they have exceeded an Event Definition time threshold.
