Event management allows IT operation administrators to combine multiple event sources from monitoring tools such as Icinga and Nagios into a single management console. Event management provides options for configuring and managing events, and for integrating with other ServiceNow features such as incident, change, and task management, and CMDB and services management.
An event is a notification from one or more monitoring tools that indicates something of interest has occurred, such as a log message, warning, or error. The system receives or pulls events from one or more external event sources and stores them in the Event [em_event] table.
The event monitoring tool generates the values of the source and resource fields. Event management implementers can define event types and register nodes to help uniquely identify incoming events and create alerts for the specific needs of the enterprise. Event Management uses this information to determine whether to create a new alert or update an existing one.
An event source may generate duplicate events, with the same identifying information. For events with the same identifying information, event management uses the time interval between events to determine if events represent an existing issue or new issue.
External Event Sources
Event Management can import events from external sources. The system offers native support for the following event sources:
- Netcool/OMNIbus ObjectServers and Impact Servers
- Microsoft System Center Operations Manager (SCOM) servers
- Solarwinds Log & Event Manager servers
Users with the evt_mgmt_admin role can import events from these sources with a connector definition. See Importing Events from Supported External Sources.
Native support for external event sources is available starting with the Fuji release.
Customers on earlier versions or who need to import events from other event sources, must create a scripted integration. Users with the evt_mgmt_integration role can use the system REST APIs and a Python script to insert raw events into the Event [em_event] table. See Integrating External Events with Event Management.
Event Transform Rules
The system uses event transform rules to transform and normalize event data before processing it for alerts. Event transform rules do not change records in the Event [em_event] table. Instead event data changes are only ever stored in system memory and used for processing. Administrators can use event transform rules to:
- Identify which events to transform based on a set of matching conditions.
- Identify which events should be ignored.
- Specify what event field values to add or update.
An event transform rule only updates or inserts event values when all the following conditions apply:
- The event transform rule's Event Class field matches the event's class value.
- All the regular expressions in the Event Match Fields embedded list match to either event fields or name-value pairs in the Additional Information
Event Management Process Flow
The Event [em_event] table collects inbound events from the external event sources. Administrators configure event management to specify which events the system converts into alerts as well as the contents of alerts.
For events that meet the defined criteria, Event Management creates alerts in the Alert [em_alert] table. If an alert does not already exist for the event, a new alert is created. If the alert already exists, the existing alert is updated appropriately. The alert life cycle consists of:
- Acknowledging alerts.
- Creating incidents for alerts that match incident rules.
- Closing alerts for resolved issues.