I have a few questions regarding how data flow to correlation engine. From my little understanding, here's a list of steps I think things should be:
From Event Receiver to Correlation Engine (For both Correlation Engine on ERC and ACE in case of real-time rule-based correlation):
- ERC gets or receives events from various data sources. ERC do their parsing job.
- ESM pulls parsed events from ERC in a timely manner.
- As soon as ESM got events, it will send all events to correlation engine it knew e.g. both on ERC and ACE if there are correlation engine for both. (I'm not sure about this step. Will ESM push events to correlation engine or correlation engine will pull from ESM?)
- ESM pulls correlation events from correlation engine if any rule matched and correlation events produced.
In my opinion, correlation engine, likes any other data source object, got events and processing according to rules. However, in case of correlation engine it isn't rule for parsing but rule for correlation.
Here are my questions:
- Could someone confirm my data flow above? especially step No. 3. I want to know if it's an ESM who push event to correlation engine or correlation engine who pull events from ESM?
- In case of local correlation engine on ERC, since we can think of correlation engine as another ordinary data source; correlation engine data source will consume EPS on ERC likes any other data source, correct?
- If it's true for question No. 2, it's mean if we going to use correlation engine on ERC, do we have to sizing double EPS on ERC? (All events from data sources + parsed events from ESM so it's double).
- If my assumption on question No. 2 isn't absolutely correct, how much performance impact on ERC if we going to use correlation engine data source? If customer can't afford ACE in the first place how can we sizing ERC in this case?
- If there are multiple ERC, can correlation engine on a single ERC perform correlation for all events coming from all ERC? Since all events will be pass through single ESM? e.g. we can place a bigger model of ERC for HQ and small ones for branches; then we let alone bigger ERC on HQ to do correlation for all events.
Thank you in advanced for answering my questions.