A simple event correlator is a form of event correlation that is written entirely in the programing language PERL. In many ways, a simple event correlator is a light-version of a full on event correlation software. Like a standard event correlation tool, a simple event correlator can do everything from manage security to monitor, track and analyze events in your log files. Unlike the full, often more expensive event correlation solutions, a simple event correlator independent from any specific platform and runs itself as a single process. With that said, it can be deployed in various places on your network such as terminals or various shell pipelines. With all of this however, you can still run many processes at the same time and for a variety of tasks at the same time.
Primarily and at its core, simple event correlator is designed to find event patterns set up by specific rules you apply, which can be found in configuration files. It does however also offer more advanced features such as log file analysis and logic analysis that make it great for a wide range of more traditional event correlation tasks. One thing that a simple event correlator is often used for is monitoring and preventing brute force attacks on your system. By placing a process in your login event file, the correlator can watch for repeated failed attempts onto your network and notify you of such events to take action.
Overall, the draw to a simple event correlator over a more traditional suite of event correlation tools is purely the flexibility of the tool. The ability to handle event logs of many different contexts really set differentiate the tool from others and make it a big draw for many IT professionals. For example imagine a scanner that is continuously having issues with paper jamming and a traditional event correlation would send an email every time it saw a jam. The simple event correlator can recognize that an email has already been sent out and prevent your inbox from being flooded by dozens of emails every time it jams.
Also unique to the simple event correlator is that rules can be set to begin event correlation operations continuously, while simultaneously running rules that react automatically in real time to specific events or simply at a set time on your network’s internal clock. Surmise for a second that your simple event correlator is set up to monitor log files for a specific type of event that you have recognized as worthy. Now at the same time, suppose you are looking at configuration files for a rule pertaining to failed system logins. Within the preset rule, the pattern metric will recognize the aforementioned events and display a message for you and your team to further inquire about the events correlation and how they will affect your system. Your simple event correlator is also smart enough to check of a correlation operation for a given event should it already be in place, to prevent being bombarded with messages.
Another feature of your simple event correlator tool is the context. At its foundation, a context is simply a memory tool, which can have more than one titled name, event store and a limited pre-determined life span. In addition, a context can be used fore aggregating events and reporting the aggregated events to you and your team either in real time or in a daily summary. Another great feature of the context is that you can set up an action list to automatically execute if the context is nearing expiration.