News

Copyright © 2008-2019 Paula DiTallo

Tag Cloud



What is an "event storm"?

Loosely stated, an event storm is a large number of warming, informational and error class occurrances on a given node (or array of nodes) over a relatively short period of time. Since these events  must be detected and addressed to improve the health and reliability of any given system, a whole science and collection of supporting applications exist to best manage these occurrances.

The best academic abstract/whitepaper I've seen on the topic comes from Mouayad Albaghdadi, Bruce Briley and Martha Evens, titled Event Storm Detection and Identification in Communication Systems.

http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V4T-4GGWG9B-2&_user=10&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=f0c21894956067e205019af5285b5b14

In the Windows Server 200x world, event storms are represented by the number of events that fill the box's event log--visible to administrators) through Event Viewer. Events will fall under general classes; Application, Security and System. Within these classes, events are typed under Information, Error and Warning. A fast and furious collection of them across any category, under any type is considered an event storm.

If you have access to the Microsoft Operations Management (MOM) server in your NT/Windows Server 200x environment, connect to the OnePoint database instance, look under views. An important view is dbo.SDKEventView. You'll see columns like: EventGUID, ComputerName, GeneratedAlert, Message, NTEventID, TimeGenerated, TimeStarted, TimeStored, etc.

Let's say you're interested in determining which boxes on your network have been generating the highest count of events. Type and execute this query:

SELECT ComputerName, COUNT(*) AS myTally
  FROM dbo.SDKEventView
   WHERE (TimeGenerated BETWEEN convert(datetime,'02/04/2008 05:00:00 AM',101) AND convert(datetime,'02/04/2008 05:00:00 PM',101 ))
    GROUP BY ComputerName
     ORDER BY myTally DESC

What you'll see as a result from this query is a listing of each node/server with a tally of events generated for the past 12 hours. Granted, not all the events that tally may be of dire interest to you (e.g. common, or expected IIS related-errors) however it is an acid-test to help determine which nodes on your network are generating a lot of  tagged activity. To dig deeper into MOM event managment and reporting, please visit Justin Harter's web site: http://www.momresources.org . This is an AWESOME resource for developers and admins alike from all levels experience!

Monday, February 4, 2008 11:31 AM

Feedback

# re: What is an "event storm"?

Thanks for this query...I have a need to get a better idea of which servers are generating the most events and alerts. 12/26/2008 8:50 AM | Steve Tarzon

Post A Comment
Title:
Name:
Email:
Comment:
Verification: