Incident resolution activities may extend the
duration of service outages ‘looking for root
cause’ versus taking direct actions to restore
normal state service operation.

Incident records will be closed too early in
the overall support cycle and there will be no
actions taken to prevent recurrence – so the
same incidents will continue to disrupt the
business

Incident records will be kept open so that root
cause analysis can be done and visibility will
be lost of when the user’s service was actually
restored – so SLA targets may not be met even
though the service has been restored within
users’ expectations.

■ Active monitoring tools that poll key CIs to
determine their status and availability. Any
exceptions will generate an alert that needs to
be communicated to the appropriate tool or
team for action.
■■ Passive monitoring tools that detect and
correlate operational alerts or communications
generated by CIs.

Configuration items (CIs)

Environmental conditions

Software licence monitoring

Security

Normal activity (e.g. tracking the use of an
application or the performance of a server).

Event notifications should only go to those
responsible for the handling of their further
actions or decisions related to them

Event management and support should be
centralized as much as reasonably possible.

All application events should utilize a common
set of messaging and logging standards and
protocols wherever possible

Event handling actions should be automated
wherever possible.

A standard classification scheme should be in
place that references common handling and
escalation processes.

All recognized events should be captured
and logged. This will provide a means for
examining incidents, problems and trends after
events have occurred.

InformatIonal events
■■ A scheduled workload has completed
■■ A user has logged in to use an application
■■ An email has reached its intended recipient.

WarnIng events
■■ A server’s memory utilization reaches within 5%
of its highest acceptable performance level
■■ The completion time of a transaction is 10%
longer than normal.

exceptIon events
■■ A user attempts to log on to an application
with the incorrect password
■■ An unusual situation has occurred in a business
process that may indicate an exception
requiring further business investigation (e.g.
a web page alert indicates that a payment
authorization site is unavailable – impacting
financial approval of business transactions)
■■ A device’s CPU is above the acceptable
utilization rate
■■ A PC scan reveals the installation of
unauthorized software.

■ Integration Integrate event management
into all service management processes where
feasible. This will ensure that only the events
significant to these processes are reported.

■ Design Design new services with event
management in mind

Trial and error No matter how thoroughly
event management is prepared, there will be
classes of events that are not properly filtered.
Event management must therefore include a
formal process to evaluate the effectiveness of
filtering.

Planning Proper planning is needed for
the deployment of event management
software across the entire IT infrastructure.

Instrumentation
instrumentation is about defining and designing
exactly how to monitor and control the IT
infrastructure and IT services.

■ How will events be generated?
■■ How will events be classified?
■■ How will events be communicated and
escalated?
■■ Does the CI already have event generation
mechanisms as a standard feature and, if so,
which of these will be used? Are they sufficient
or does the CI need to be customized to include
additional mechanisms or information?
■■ What data will be used to populate the event
record?
■■ Are events generated automatically or does the
CI have to be polled?
■■ Where will events be logged and stored?
■■ How will supplementary data be gathered?

Detailed knowledge of the service level
requirements of the service being supported by
each CI

Knowledge of who is going to be supporting
the CI

Knowledge of the significance of multiple
similar events (on the same CI or various similar
CIs)

Familiarity with incident prioritization and
categorization codes so that if it is necessary to
create an incident record, these codes can be
provided

Knowledge of other CIs that may be dependent
on the affected CI, or those CIs on which
it depends

Event notification
A general principle of event notification is that
the more meaningful the data it contains and
the more targeted the audience, the easier it is
to make decisions about the event.

Event occurs

Event detection
There should be a record of the event and any
subsequent actions. The event can be logged as
an event record in the event management tool or
it can simply be left as an entry in the system log
of the device or application that generated the
event

Informational
This refers to an event that does not require
any action and does not represent an exception.
They are typically stored in the system or service
log files and kept for a predetermined period.
■ A user logs onto an application
■■ A job in the batch queue completes successfully
■■ A device has come online
■■ A transaction is completed successfully.

Warning
A warning is an event that is generated when
a service or device has reached a threshold
that indicates a situation must be checked and
appropriate actions taken to prevent an exception.
■ Memory utilization on a server is currently at
65% and increasing. If it reaches 75%, response
times will be unacceptably long and the OLA
for that department will be breached.
■■ The collision rate on a network has increased by
15% over the past hour.

Second-level event correlation
If an event is a warning, a decision has to be made
about exactly what the significance is and what
actions need to be taken to deal with it. It is here
that the meaning of the event is determined.

Further action required?**
textIf the second-level correlation activity recognizes
an event, a response will be required.**

■ Exceptions to any level of CI performance
defined in the design specifications, OLAs or
SOPs

■ Exceptions to an automated procedure
or process, e.g. a routine change that has
been assigned to a build team has not been
completed in time

Alarms, alerts and thresholds

Operational and service level requirements
associated with events and their actions

Event correlation tables, rules, event codes and
automated response solutions that will support
event management activities

Roles and responsibilities for recognizing events
and communicating them to those that need to
handle them

Operational procedures for recognizing,
logging, escalating and communicating events

Events that have been communicated and
escalated to those responsible for further action

Event logs describing what events took place
and any escalation and communication activities
taken to support forensic, diagnosis or further
CSI activities

Events that indicate an incident has occurred

Events that indicate the potential breach of an
SLA or OLA objective

Events and alerts that indicate completion
status of deployment

Populated SKMS with event information and
history.