First- and Second-Level ITIL Event Correlation

FirstandSecondLevelEventCorrelation184735200BlogThe event management process as defined in the “ITIL Service Operation” book includes two types of correlation as part of its activities. These two types of correlation are first-level and second-level.

First-Level Correlation

According to the “ITIL Service Operation” book, first-level event correlation is simple filtering. At this point of the process, the event type is determined, as well as whether or not it should be communicated. Event types include informational, warning and exception. What ITIL® is saying is that once an event is logged, the next thing to do is to determine what kind of event it is and whether or not that event should be communicated.

Informational events:

  • Typically do not trigger follow-up action
  • Are logged for a pre-determined period of time
  • Are often used to generate statistical information about configuration items

Warning events:

  • Indicate unusual operation
  • Trigger actions that might prevent an exception event from occurring
  • Might occur in conjunction with other events

Exception events:

  • Indicate abnormal operation
  • Can represent a failure of a configuration item or a degradation
  • Includes events related to unauthorized devices being detected on a network

Second-Level Correlation

The next level of correlation that occurs as part of the event management process activities is second-level correlation. Second-level correlation is used to dig deeper into the meaning of warning events.

Warning events typically require a different level of correlation that determines the following:

  • What is the significance of the event?
  • What action, if any, needs to be taken based on the event occurring?
  • Does the performance seen match a norm?
  • Have multiple simultaneous events occurred and does a correlation engine need to be invoked?

Second-level correlation is important because warning events often happen in groups, and sometimes those groups can includes hundreds or thousands of messages. Parsing through and correlating all of those messages can be a daunting task, but it is an important task because all of those warning events that happened simultaneously might be pointing to one failure or degradation in the environment.

Correlation is a deep topic in event management, and the “ITIL Service Operation” book only skims the surface. Establishing effective correlation in an organization requires a strong event management process, the right tools and a commitment to constantly tuning the performance of the organization’s correlation engines and rules.

Related Courses
ITIL Foundation
ITIL Awareness

In this article

Join the Conversation

2 comments

  1. sanjeev Reply

    Please mail me the reference material for event correlation and routing