Trap Processing Speeds

The following describes event processing speeds for the mediation service, the portion of this application that communicates directly with the devices under management, and the application server, which receives events from the mediation service, processes them, and formats them so that a client can view them. The nominal sustainable rate and a burst rate are two variations on these performance numbers. The sustainable rate is what is expected during normal operation.

This application typically does not lose traps as they come in. It can handle the burst rate, but only for a short period falls behind and events are backed up. This is standard behavior for Event Monitoring systems.

Application server inserts event data into the database, updates alarm states in the database, executes propagation logic, and executes any necessary automation. Besides handling incoming events, application server also handles client requests from event or alarm views and these result in database queries.

[spacer]

The performance of the database significantly effects event processing.

Mediation is a service. Without a separate mediation server, this service is running in the application server. The mediation service correlates events against the inventory model, applies event filtering, and determines what actions, if any, should execute for an event. When events come into the system, from any protocol, they queue for processing by mediation. At regular intervals, mediation submits processed events to the application server for more processing against the database. The remaining queued events wait while the current batch is being committed.

The application immediately converts SNMP traps into events and then queues them for mediation. It handles syslog differently, spooling all messages on disk first and then discarding or escalating them to event status. By default, all syslog messages are escalated. Handling a large volume of events may involve some analysis of the events coming in and modifications to event definitions and processing rules.

A separate mediation server commits more resources to receiving, filtering and converting incoming data. Offloading mediation services to a separate mediation server will also free up resources on the application server to do more alarm correlation and propagation. A dedicated southbound interface can also be configured to increase reliability at high rates.

The numbers here reflect both SNMP traps as well as Syslog messages. Syslog messages can be received at a higher rate without loss and are inspected very quickly, but escalated syslog messages must still go through general event processing and correlation.

[spacer]

Event type

[spacer]

 

[spacer]

SNMP

[spacer]

Syslog

Service

Sustained (traps/s)

Burst (traps/s)

Sustained (msgs/s)

Burst (msgs/s)

Mediation

200

4000

200

20,000

Application

120

2000

120

10,000

[spacer]

Sustained counts reflect the number of events that pass through correlation and filtering. For example, 10,000 syslog messages may yield only 50 escalated events. Here, the sustained rate for syslog is low because we are assuming all messages are escalated. Higher volumes require more configuration to detect and ignore unwanted traps or messages at the mediation layer.