MonitorWare concepts
Article created 2003-05-15 by Rainer Gerhards.
Information Units
Information units contain the
data gathered by the services. As soon as a service detects a reportable
event, it creates a new information unit. The information unit contains
a textual representation of the event (for example a syslog message) as
well as information about the event itself. For example, it contains the
system that the event was originated from and the date and time it was
received.
Which data is contained in the
information unit depends on its type. However, there are a number of
common data elements present in all information units. Most of these
elements can be used as filter conditions in the rule engine.
Information unit specific data elements are not eligible as filter
conditions. However, there are data elements (properties) which are
defined to be present in all information units even though they seem to
be specific to a service type. One example is syslog priority. These
values are present in each information unit type simply because priority
is a good abstraction for other types, too. Such generally available
properties are mapped if they are not directly supported by the service
type. In the example, an event log monitor maps the event log severity
to the syslog priority.
There is a direct one-to-one relation between service type and information
unit type. Each service type has its own information unit type.
Inside the rule base, the
information unit type itself can be used as a filter condition. This
facilitates creating rules that check information unit type specific
properties only if they originated from the specific service type (e.g.
check syslog priority only if the information unit was generated by a
syslog server).
|
