Tool Mentor: TNM – Correlate Events and Select Response
TM144 – How to use TNM to Correlate Events and Select Response
Tool: IBM Tivoli Network Manager
Relationships
Related Elements
Main Description

Context

Tool mentors explain how a tool can perform tasks, which are part of ITUP processes and activities. The tasks are listed as Related Elements in the Relationships section.

You can see the details of how processes and activities are supported by this tool mentor, by clicking the links next to the icons:

Details

A failure situation on the network usually generates multiple events creating noise on the operator's console. IBM® Tivoli® Network Manager (TNM) correlates all events related to a single failure on the network using the topology information it has discovered from the network. TNM identifies the root cause of the network failure (the significant event) and correlates all symptomatic events to this root cause. Symptomatic events are identified and their criticality is reduced; network operators should focus corrective action on significant events. TNM can also enrich events with the network topology information it has discovered.

This correlation process reduces the event flood from network failures focusing network operations staff on a manageable set of significant events.

TNM includes a set of default topology-based event correlation policies. Example policies include:

  1. Isolated/Downstream suppression -- correlating a device failure event to all the resulting ping failure downstream and surrounding events.
  2. Physical neighbor suppression -- correlating a chassis failure to all failures on interfaces connected to that chassis device.
  3. Event-correlation in redundant meshed networks -- correlating a catastrophic failure of multiple redundant links at the provider-edge to the resultant flood of ping failure events from downstream devices.
  4. Logical to physical topology event correlation -- correlating a link failure to OSPF neighbor loss events.

All policies are generic and can be applied to multiple network technologies. Tivoli Network Manager can use rule chaining to allow individual events to generate a sequence of correlations. The default policies can be modified and extended by the user.

Example Scenario: Pair of devices fails isolating a portion of the network

Tivoli Network Manager will correlate all events from the isolated devices to two significant events, one for each redundant leg in the network. The last device to fail, that is the one that isolated the network, will be marked as the root cause of the symptoms.

Network topology screenshot showing two failed devices and all devices that are isolated as a result
Figure 1. Network topology view showing two failed devices (in red) and all devices that are isolated as a result of these failed devices (in purple)

Screenshot of Event List
Figure 2. Event list showing all events (red ones are significant, purple ones are the symptomatic events correlated to the significant ones)

For more information

For more information about this tool, go to the IBM Tivoli Network Manager page.

©Copyright IBM Corp. 2005, 2008. All Rights Reserved.