We changed our name from IT Central Station: Here's why

Top 8 Event Monitoring Tools

SCOMBMC TrueSight Operations ManagementScienceLogicZenoss Service DynamicsIBM Tivoli NetCool OMNIbusMicro Focus Operations ManagerIDERA SQL Diagnostic Manager for SQL ServerOperations Bridge
  1. leader badge
    I like some of their newer features, such as maintenance schedules, because SCOM records SLA and SLO time.We have found the scalability capabilities to be okay.
  2. The most valuable features are the rich reports, high performance, and the look and feel of the WebEx webpage are very good.I like the deep-dive detail and end-user metrics data. The synthetic monitor is the best one. The best point of the new one is that there's no need for configuration. You can inject the Java script and start to change major developments in the application. This is a good approach, and we received all the data using this.
  3. Find out what your peers are saying about Microsoft, BMC, ScienceLogic and others in Event Monitoring. Updated: January 2022.
    563,780 professionals have used our research since 2012.
  4. It is very easy to configure because we are using an agent-less version. You can very quickly implement a collector for monitoring device servers.Its ITSM and EMS combination is really amazing. There is no need to purchase two products, one for ITSM and a second for EMS/NMS.
  5. The product offers good documentation that helps with initial training.They have also accommodated many state-of-the-art technologies like Docker and ZooKeeper.
  6. It is customer-centric. Customers can access the event list from their location or desktop and view the event. There is no need to go and connect to any other server and run events to have a view of all the events happening in the environment. We get a good response from customers about this feature and the main architecture of NetCool. Its processing is very good. Deduplication and correlation functionalities are good in this solution as compared to other solutions. A big advantage of NetCool is that it also supports multi-layered protocols. We can receive multiple events from different protocols like UDP, HTTP, and those events can be captured in NetCool.
  7. It's a very good product overall.You can create an application topology that shows relationships between different components.
  8. report
    Use our free recommendation engine to learn which Event Monitoring solutions are best for your needs.
    563,780 professionals have used our research since 2012.
  9. Memory and CPU utilization features are good. We're able to diagnose issues prior to their actually becoming issues. Without the alerting, we wouldn't have a clue as to what was going to happen. With the alerting, it gives us a heads-up that a specific threshold has been met, and we need to take specific action.
  10. Similar to Micro Focus Network Node Manager, the most valuable features of this solution are its modern look and usability.The correlation feature is the most used feature. It allows you to correlate events from different sources and have more meaningful events.

Advice From The Community

Read answers to top Event Monitoring questions. 563,780 professionals have gotten help from our community of experts.
Are event correlation and aggregation both needed for effective event monitoring and SIEM? 
author avatarWilla Ou

Yes, both of them are needed. Since their concepts have been well discussed here, I will just give a few examples of event processing rules I developed in BMC TrueSight for BMC customers in the last 17 years. 

'Aggregation' requests are usually about combining multiple occurrences of one single event type into one event for the purpose to minimize the number of redundant incident tickets.

One type of aggregation is to combine multiple events occurred on different instances within a certain time period into one event. I call this type horizontal aggregation. One aggregation rule I developed combined all ping failure events within the last 10 minutes into one event if more than 10 servers failed on ping test. Another aggregation rule I developed combined all Remedy server process down events on a single Remedy server within last 10 minutes into one event.

Another type of aggregation is vertical aggregation along the time line. Take an example of CPU utilization on a single server. If CPU utilization exceeds a threshold at 10:00am, an event will occur and thus a ticket is created. If CPU utilization continues exceeding the threshold, BMC TrueSight won't generate more events. But if CPU utilization falls below the threshold at 10:15 am, BMC TrueSight will close the previous event. What if CPU utilization exceeds a threshold again at 10:30 am? Another event will occur and another ticket will be created. If this pattern goes on for 20 times in a day, we will get 20 tickets. This is sometimes called event flapping. The aggregation rule I developed combined all occurrences of the same type of events into one event based on user-defined criteria - either by a fixed time period (e.g. All high CPU events happened within an 8-hour fixed window go to one event/ticket) or by idle time (e.g. All re-occurrences happened after 3 hours of normal CPU utilization go to a new event/ticket).

'Correlation' requests are usually about grouping different event types (and often occurred on different servers) together for the purpose to identify root cause - though it can sometimes reduce the number of redundant incident tickets as well. Correlation may even add one higher-level ticket that links to all related lower-level tickets especially if these lower-level tickets are assigned to different support groups. One example is to correlate an event from synthetic transaction failure, an event from app server log monitoring, and an event from Oracle alert log monitoring occurred within the last 10 minutes. One challenge in event correlation is to correlate the related events only thus having an accurate infrastructure topology is critical. As discussed here previously, purely relying on discovery tool to keep a real-time topology is difficult and expensive. In BMC TrueSight, I sometimes had to develop an add-on data collection (custom PATROL KM) to extract the component relationship from configuration files on the server and execute this custom PATROL KM at the same schedule as BMC out-of-box PATROL KM.

Aggregation and correlation are necessary in enterprise SIEM in order to realize positive ROI. 

author avatarErtugrul Akbas (ANET)
Real User

They are not same. For evet monitoring (log management) aggregation is enough but if you need correlation then SIEM required. Aggregation  means log parsing and correlation means developing rules to detect attacks

author avatarTjeerd Saijoen

Aggregation is taking several events and turning them into one single event, while Correlation enables you to find relationships between seemingly unrelated events in data from multiple sources and to understand which events are most relevant.

SIEM event correlation is an essential part of any SIEM
solution. It aggregates and analyzes log data from across your network
applications, systems, and devices, making it possible to discover
security threats and malicious patterns of behaviors that otherwise go
unnoticed and can lead to compromise or data loss.

author avatarreviewer1285209 (Tech Lead at a tech services company with 1,001-5,000 employees)
Real User

Aggregation and correlation: Agreeing on the right responses below.

Aggregation takes place during the flow of the real-time events to reduce duplicate events generated from the same source. Aggregation of the event can be adjusted in a few of the SIEM solutions to reduce logging, EPS, Storage, CPU, etc. (Solution Architecture or the platform Engineer has to decide the aggregation setting depending on what is to be achieved out of the environment).

Ex: Reducing same/similar sync events to saves in SIEM from a security device.

Correlation is the process of connecting/relating two different event properties from the Same or different log sources, Those events may or may not hold the same parsed fields. But correlation can only occur once the events are aggregated >> parsed >> Mapped to respective fields so that SIEM rules can check for required fields to trigger a correlated offense/alert.

Ex: Detecting and triggering security threat alerts from different security appliance (Firewall, IDS/IS, WAF, EDR, HIPS, AV ETC) 

Suppression: let's not get confused with suppression of alerts as aggregation, As Suppression is used to reduce the same offenses generated multiple times and this takes place after Aggregation >> parsing >> Mapping >> Correlation >> Offense triggered >> Suppression.

Ex : Device not reporting from last 1 hour this can be suppressed as security team works to resolve the event till the devices back in action

Thank you

author avatarGregg Woodcock
Real User

Yes. You need aggregation to show sustained activity over time which can indicate an attack, attempt to breach, or exfiltration. You need correlation to show things that happen contemporaneous which is especially useful if they should not or normally do not.

author avatarreviewer1275930 (IT Executive Leader / Innovator at a tech consulting company with 11-50 employees)

Not sure anything else could be added that Mr. Collier already stated.  The aggregation of any events is to collect and combine events to develop a pool of raw data which could be analyzed later.  To correlate events on any given situation is to look for similarities or disparities between those events. I do not see any applications or platforms on the market (yet) that can provide a solid foundation of correlating events.  Given a very small sample of variables and LOTS of data, correlations can be surmised -- but still need a very manual process of validation. 

author avatarRandall Hinds
Real User

Agree on all the answers posted here, and I especially like Dave's explanation on the more advanced solutions available on the market. Excellent call outs on the need for deep & well maintained relationship mapping to enable an AI's algorithm to connect-the-dots between aggregated alerts firing from multiple separate source tools. Having a mature ITSM implementations with CI-discovery, automated dependency-mapping, and full integration between your correlation engine & CMDB will help too.

Find out what your peers are saying about Microsoft, BMC, ScienceLogic and others in Event Monitoring. Updated: January 2022.
563,780 professionals have used our research since 2012.