Event Management Fundamentals Flashcards
What is an application service, within the context of ServiceNow’s ITOM Suite?
A collection of components that offer a service to your organization.
These components can include
- Network Devices
- Computers
- Applications
- etc
What does Discovery do, within the context of ServiceNow’s ITOM Suite?
Discovery discovers and inventories components (Configuration Items) that make up an IT Infrastructure.
The technology provides a scheduled classification and update of configuration items and populates the Configuration Management Database.
What does the CMDB (Configuration Management Database) do?
Catalogs the assets and services controlled by a company. The CMDB can be thought of as a database of configuration items, where CIs are hardware and software infrastructure components required to deliver a service.
What does Service Mapping do, within the context of ServiceNow’s ITOM Suite?
Service Mapping moves the CMDB into the next strategic level by providing a targeted mapping of the IT components that support an application service.
The CMDB is transformed from an inventory to a service-aware dependency map.
What does Event Management do, within the context of ServiceNow’s ITOM Suite?
Event Management collaborates with existing monitoring systems to provide a real time state of the IT infrastructure. The application processes infrastructure events through a combination of event mappings and rules. Events are converted and consolidated into significant alerts for investigation and remediation.
What are 4 main features of ServiceNow’s ITOM Suite?
- CMDB population with devices and applications
- Service Mapping with dependencies
- Service Health with event and alert processing
- Infrastructure remediation with Integration Hub workflows and activities.
What do Metric Intelligence and Health Log Analytics do?
(Supported by Agent Client Collector)
They proactively identify anomalies in your IT infrastructure before they cause service outages.
How is Integration Hub able to provide automated investigation and remediation of IT systems?
Through the use of workflow, MID Server, and network processing technologies.
How is Event Management helpful?
Event Management enables visualization of the state of the entire IT infrastructure with several tools.
What does the Service Operations Workspace service dashboard do?
Provides a service-centric view that focuses on how alerts are impacting applications services.
What does the Event Management Overview dashboard do?
Gives you a quick summary of active alerts and affected services. It can be configured to display alert analysis by service and/or configuration item.
What is an event, within the context of Event Management in ServiceNow?
An event is a notable occurrence/notification from the infrastructure
In other words, an event is a monitoring tool notification indicating something of interest has occurred, like a failure or a warning.
The event contains information about the issue to help diagnose and resolve it.
What determines if an event should be ignored, converted into a new alert, or update an existing alert?
Event processing with event rules
What is an event rule, within the context of Event Management in ServiceNow?
A configuration that defines the conditions and actions to be taken when specific events occur within an organizations IT infrastructure.
What is a metric, within the context of Event Management in ServiceNow?
A metric is a measure of an operating characteristic for a device over time, like memory usage or CPU utilization.
What is Table Rotation, and why is it important within the context of Event Management in ServiceNow?
Table Rotation refers to the process of managing historical data in tables.
It is important to Event Management because, on a daily basis, events older than 5 days are cleared out of the event table via table rotation.
- For performance reasons, table rotation should not be altered.
What are some Key Features for Event Management?
- Consolidates events from different sources
- Filters events to reduce noise and generate qualified events
- Relates events to CMDB CIs
- Identifies alerts created due to planned maintenance
- Performs service impact analysis
- Provides dashboards for understanding health and service status
- Spawns SN tasks from alerts
- Assists with alert remediation - automated or manual
In the context of a MID Server, what does M.I.D. stand for?
Management
Instrumentation
Discovery
What is a MID Server, within the context of ServiceNow Event Management?
The MID Server is a Java application that runs on a server on your local network as a Windows Service or a Unix daemon.
(Enables communication between a ServiceNow instance and the customer network)
What does the MID Server do?
Facilitates communication and movement of data between the ServiceNow instance and external applications, data sources, and services.
Within the context of Event Management, to what do MID Servers connect, and how do they connect?
In Event Management MID Servers connect to monitoring systems via connectors implemented with JavaScript and Groovy scripts.
Baseline connectors enable connection with a ridiculous amount of different systems.
Within the context of Discovery, how does the MID Server initiate communication?
By querying the ServiceNow External Communication Channel (ECC) Queue.
What is the ServiceNow External Communication Channel (ECC) Queue used for?
Data synchronization between the MID Server and the ServiceNow instance.
ECC Queues are used to transmit data, such as Discovery probe results or other information collected by MID Servers, from remote locations (where MID Server is installed) to the central ServiceNow Instance.
Why is the ECC Queue important, within the context of data validity?
It helps maintain the synchronization and integrity of data across distributed environments.
Where is the MID Server installed?
The MID Server is installed behind the customer firewall, as close to the target devices (line-of-sight) as possible.
How does the MID Server initiate communications?
The MID Server initiates communications using SOAP on HTTPS port 443, which means that all communications are secure and initiated inside the enterprise firewall. No special firewall rules or VPNs are normally required.
What types of calls are made in the relationship between the MID Server and the ServiceNow instance?
MID Servers make outbound calls to the ServiceNow instance.
No inbound calls are made from ServiceNow to the MID Server.
Data is returned to the ServiceNow instance in XML and JSON formats.
What Operating Systems support MID Server installation, and what type of account is needed?
Windows and Linux 64-bit operating systems
The service requires a non-admin account on the hose machine to run under
What setup tasks are necessary for a MID Server manual installation?
- Create ServiceNow user
- Download installer file
- Install, validate, and test connectivity
Extended Response:
- Create the MID Server users account and grant the appropriate role (mid_server) to this user. (in SN)
- Download the appropriate installer file to the host machine
- Install the MID Server on a Linux or Windows host.
- Validate the MID Server to ensure that it is trusted
- Test connectivity between the MID Server and the instance.
Why would you deploy multiple MID Servers in your network?
For load balancing or when domain separation is required.
What is the External Communication Channel (ECC) Queue?
A connection point between an instance and the MID Server. Jobs that the MID Server needs to perform are saved in this queue until the MID Server is ready to handle them.
What is Long Polling, within the context of MID Servers?
Long Polling refers to an event-driven feature used for asynchronous communication between the MID Server and the ServiceNow instance. Long Polling allows a MID Server to continually query because the MID Server subscribes to an AMB (Asynchronous Messaging Bus) that is continuously available in the instance.
The request is kept open by ServiceNow much longer than a typical HTTP request. The ServiceNow server holds the request until new data or updates are available.
Why would you use Long Polling as opposed to traditional polling, within the context of the MID Server?
In a traditional polling approach, the MID Server would periodically send requests to the ServiceNow instance. This constant polling can be resource-intensive and may not provide real-time responsiveness.
Long polling reduces the overhead of continuous polling and provides near-real-time communication. It is especially useful when the MID Server needs to respond quickly to events or receive updates as soon as they are available.
What is an Asynchronous Messaging Bus (AMB)?
A communication mechanism that allows different parts of the ServiceNow platform to exchange messages and data asynchronously. In enables loosely coupled components and processes to communicate without being tightly integrated.
What AMB Channel does the MID Server listen to?
The MID Server opens a consistent connection to the instance through the AMB client and listens on the
/mid/server/<mid_sys_id>
AMB Channel.</mid_sys_id>
What happens when an output record is inserted into the ECC Queue?
An AMB message is sent to the MID Server’s channel. The MID Server receives this message and immediately polls the ECC queue for work.
What safeguard is in place to prevent AMB connection failure?
To safeguard against an AMB connection failure, the MID Server polls the ECC queue in 40 second intervals regardless of AMB message activity.
This interval is configured with the parameter - mid.poll.time
How does the MID Server know when it needs to upgrade?
The MID Server checks in with the ServiceNow instance hourly to determine whether it needs to upgrade.
How does Event Management use MID Servers?
To connect to third party monitoring systems via connectors.
What are Probes, within the context of the Discovery process?
Probes are small programs or scripts that run on a ServiceNow MID Server and use various protocols and methods to retrieve data from devices and systems being scanned.
There are 4 probe phases within the Discovery process, can you list them?
- Port Scan Phase
- Classification Phase
- Identification Phase
- Exploration Phase
There are 4 probe phases within the Discovery process. Please explain the first phase, the Port Scan Phase.
Port Scan Phase: Scan for open ports against the IP range. Open ports indicate the type of device. Some examples - port 22: Unix host // port 135: Windows host // port 515: printer
There are 4 probe phases within the Discovery process. Please explain the second phase, the Classification Phase.
Classification Phase: A classifier is created for each device and defines the device type based upon operating system or device function.
(Note that when CI classes are created in the CMDB, relationship rules must also be created)
There are 4 probe phases within the Discovery process. Please explain the third phase, the Identification Phase.
Identification Phase: An identifier is created for each device that captures key data about the device. (serial number, MAC address, etc)
There are 4 probe phases within the Discovery process. Please explain the fourth phase, the Exploration Phase.
Exploration Phase: Multiple exploration probes are generated for the target to capture device data (running processes, RAM, hard drive, etc)
How do probes collect data about CIs in the Discovery process?
The probes are placed as output records on the ECC queue. The MID Server downloads and executes the probe against the targets. The results are returned as input records in XML format on the ECC Queue. ServiceNow sensors parse the XML and update the CMDB.
What does Bottom-Up mean within the context of Discovery?
Bottom-Up refers to a discovery approach that starts from the lower levels of an IT infrastructure’s hierarchy and gradually works its way up to discover and map higher-level CIs and dependencies.
What does Top-Down mean within the context of Discovery?
Top-Down refers to a discovery approach that begins at the higher levels of an organization’s IT infrastructure hierarchy and gradually drills down to discover and map lower-level CIs and dependencies.
In Discovery, when should you use a Top-Down approach?
Service Mapping Discovery: Top-Down
Top down discovery discovers only IT components that support the provisioning of the service.
- Service-Centric Focus: You want to prioritize the discovery of critical business services and understand how they rely on underlying infrastructure. This approach is excellent for organizations where maintaining service availability and reliability is paramount.
- Impact Analysis: You need to quickly assess the impact of changes or incidents on key services. A Top-Down approach helps you identify the dependencies and relationships that affect service delivery.
- Strategic Planning: You are planning for IT service management (ITSM)or service-oriented initiatives, and you want to align your discovery efforts with your service management strategy
- Limited Resources: You have limited resources or need to make efficient use of your discovery capabilities. Starting with critical services can provide immediate value without exhaustive infrastructure scanning.
In Discovery, when should you use a Bottom-Up approach?
Traditional Horizontal Discovery: Bottom-Up
Bottom-Up discovery discovers all infrastructure assets based upon the scope of an IP range.
- Infrastructure-Centric Focus: You need a comprehensive understanding of your entire IT infrastructure, including all devices, servers, and network components. This approach helps your build a detailed inventory from the ground up.
- Infrastructure Changes: You are primarily concerned with tracking changes to hardware and software configurations, managing assets, and ensuring compliance.
- Complex Environments: Your organization has a highly complex and diverse infrastructure with numerous interconnected components that require detailed mapping.
- Security and Compliance: You are focused on security and compliance and need a thorough inventory for auditing and monitoring purposes.
What are Dependency View Maps, within the context of Event Management?
Dependency View Maps graphically display CIs and the relationships between them. It is a logical model showing how CIs are related.
What is the Root Node within the context of Event Management’s Dependency View Map?
The Root Node, also called the Root CI, is the starting point of the Dependency View Map.
The Root CI is surrounded by a darker frame that repaints itself with a pulsing effect.
What are Application Service Maps within the context of Event Management?
Application Service Maps provide a topology view for the CIs that support the provision of a particular service.
What is a Service?
A Service is a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership or specific costs and risks.
What are the baseline services that ServiceNow provides?
- Business Services
- Application Services
- Technical Services
What are Business Services in ServiceNow?
Business Services, typically order-able by business users, provide different offerings and service level commitments via the Service Catalog (Procurement, shipping, finance)
What are Application Services in ServiceNow?
Set of interconnected applications and hosts which are configured to offer a service to the organization.
Logical representations of deployed application stacks, such as a unique instance of an application. They can consist of discovered services, manual services, or both created with Service Mapping or CIs in the CMDB.
What are Technical Services in ServiceNow?
Technical Services are published to service owners and typically underpin one or more business or application services.
What are Dynamic CI Groups in ServiceNow?
Dynamic CI Groups are technical services populated with a relationship to a CMDB group. It is a dynamic grouping of CIs based on common criteria.
What is the Common Service Data Model (CSDM)?
A framework and approach used to standardize and structure data in the ServiceNow platform. The CSDM is designed to provide a common language and data model for defining, organizing, and representing IT services, assets, and other CIs in a consistent manner.
Within the context of the CSDM, what is A Business Capability?
A business mission or model.
Within the context of the CSDM, what is A Business Application?
Represents the environment to fulfill a business model.
How is Event Management related to Discovery and Service Mapping?
Event Management uses the maps and relationships defined by these applications to visually display the health of application services.
What are the two key Event Management tables?
The Events table (em_event)
The Alerts table (em_alert)
What does the Event table contain, within the context of Event Management?
The Event table (em_event) contains events received from monitoring systems, in approximate real time, including details of the issue.
What does the Alert table contain, within the context of Event Management?
The Alert table (em_alert) contains alerts generated from the processing of events.
What are some child tables of the Services table?
- The Business Service Table
- The Technical Service Table
- The Application Service Table
+ Other Service Tables
The Application Services table, extended by the Service Table, further extends to 3 tables that appear on the Event Management Operations Workspace (Once the service is set to operational and can represent service health with alerts.)
What are those tables?
- The Mapped Application Service table (cmdb_ci_service_discovered)
- The Dynamic CI Group table (cmdb_ci_query_based_service)
- The Manual Service table (cmdb_ci_service_manual)
The lifecycle of an event within Event Management is defined by the State attribute.
What are the 4 valid state values?
- Ready
- Processed
- Ignored
- Error
The lifecycle of an event within Event Management is defined by the State attribute.
What does the Ready state indicate?
Event has not yet been processed by the system and is ready to be.
The lifecycle of an event within Event Management is defined by the State attribute.
What does the Processed state indicate?
Event was successfully processed by the system
The lifecycle of an event within Event Management is defined by the State attribute.
What does the Ignored state indicate?
Event has been ignored because of an event rule.
The lifecycle of an event within Event Management is defined by the State attribute.
What does the Error state indicate?
Event encountered errors during processing, for example if the severity field was blank
What is Event De-duplication, within the context of Event Management?
Event de-duplication refers to the process of identifying and eliminating duplicate event messages.
What is a Message Key, within the context of Event Management?
A Message Key is a unique identifier associated with an event message used for de-duplication of events.
This identifier is typically extracted from the event payload or message and contains a subset of event attributes that are most likely to uniquely identify the event.
When viewing an event record what is contained within the Node field?
The event Node is the physical/virtual host/device on which the event occurred.
(Typically one of the fully qualified domain name (FQDN), IP, or MAC addresses associated with the event.)
When viewing an event record what is contained within the Source field?
The monitoring tool generating the event/
What is something important to remember about the Severity field of an event record?
Severity is a required field and if not populated will cause an error state. Event rules can be used to populate or translate severity into the ServiceNow standard in the alert.
What does a Message Key do, within the context of Event Management?
Uniquely identifies the event and determines if an existing alert is updated. The Message Key determines whether this is a repeat or update of an existing event that needs to be associated with an existing alert. Repeated events use the same key, the alert uses the same key as the event, and an alert can have many events attached.
If an event has no source-provided Message Key, what is the key auto-populated in alert composed of?
- Source
- Node
- Type (optional field)
- Resource or host
- Metric Name
Example Message Keys - SolarWinds_100%CPU_10.1.1.19_CPU-CORE-1
- NGPerfMgr_MonAgentDown_GPMSProd01_AgentSrvce
What is an Event Rule within the context of Event Management?
An Event Rule is a configuration that specifies conditions based on event attributes, relationships, and logic. It is used to evaluate incoming event data and determine how to process, correlate, and take actions on those events.
Event rules provide a key component in event transformation to alerts.
Event rules do not change the event records in the event table but define the resulting alert content.
Give a simplistic high level overview of the Event Processing process within the context of Event Management.
- An external monitoring tool detects something deemed important and sends an event using the Mid Server and REST APIs
- An event is inserted into the event table
- Event rule processing applies
- Event field mappings apply
- Alert (maybe) generated
After an event arrives in the Event table, what is the next step in Event Processing?
As events arrive, event rules are check in their assigned order for matching
What does ServiceNow provide to simplify the creation of Event Rules?
Event Management provides recommended rules based on events actually flowing in.
The recommended rules engine analyzes and groups the events, and even provides filter regex expressions used to create the group.
What is the first filtering value within an Event Rule and what are some important things to remember about it?
The Source is the first filtering value within an event rule.
- If left blank, all sources will be included.
- The order is important as rules are processed in designated order.
- Multiple matching event rules can be applied by selecting Apply additional matching rules (If selected then threshold is disabled)
What does the Event Rule Filter typically contain, within the context of Event Management
Conditions that must be matched by the fields of the event to trigger the rule (you can also ignore events matching the filter)
How are the terms Transform and Compose relevant to Event Management and Event Rules?
Event rules enable event data to be transformed and composed to provide more meaningful data in the alert and to bind to the most appropriate CI.
For Example:
Node information embedded in the description can be placed in the node field in the alert for automatic CI binding. You can also manually compose new fields.
You are working with data gathered from an event. You are realizing that you need data slightly different than what is provided by the event. What are the two main options available and how do you determine which one to use?
- Manipulate the data to be more meaningful
- Reconfigure the source to provide different data
The approach you decide to take will be determined based upon your particular environment and use cases. Each case will be unique, but trying to work with the data before reconfiguring the source is a good idea for beginners.
What does event processing attempt to do with the text in the Node field (on the event record) by default?
Attempts to match the text in the Node field to a hostname, IP address, or MAC address, and bind the alert to the matching hardware.
When trying to bind event alerts to the relevant Configuration Item, what would you do if the event provides no information in the Node field, but does contain identifying information in the description field?
Event processing attempts to automatically associate to CI’s using the Node field, so if there is no information provided there we must do something else.
Because the description field in this scenario would contain identifying information we can utilize auto-regex parsing to extract the relevant information from the description and store it in the alert’s node field, enabling binding of the resulting alert to the correct CI.
What setting causes the disabling of Event Rule Thresholds for certain rules?
Rules using the Apply additional matching rules will have thresholds disabled.
What do Event Rule Thresholds do?
Thresholds enable the processing of events based upon a threshold metric and volume over a specified time period. (The rate at which the event occurs over the defined period of time).
If a threshold is met, an alert is generated.
What is a Close Alert Operator within the context of event rule thresholds?
The Close Alert Operator defines what is considered “quiet” and indicates that there is not longer a problem, then closes the alert.
What are the standard ServiceNow Event Management severities?
Standard ServiceNow Event Management severities are: 1 – Critical
2 – Major
3 – Minor
4 – Warning
5 - OK (previously Info) 0 - Clear
What’s a primary benefit of alert binding to the correct CI?
It simplifies the task of remediation for operators
Which fields does the default binding consider when binding alerts to CIs?
Node field to match CI name, FQDN, IP or MAC address field of host CIs
For which CI types does the default binding usually match?
Computer, switch, router, or any CI type extending the cmdb_ci_hardware table.
When you want to bind to nonhardware CI components, what should you do?
Override the default binding with event rules
How does CI Identification work within the context of CI binding?
It depends on identifying a host, then looking for a matching CI class running on that host.
When might you use regex in the event rule for Alert CI Binding?
To parse the event and populate the relevant values and key attributes in the alert.
What is the first step in the CI Binding Process Flow when an event arrives?
Event Management checks the node or CI identifiers.
What happens in the CI Binding Process Flow if no node exists?
The generated alert can bind to the CI using the alert Type, Additional information, or Configuration item identifier fields
What’s the significance of CI Identification rules in the context of Alert CI Binding?
The leverage the identification and reconciliation engine (IRE) to uniquely identify a class.
How does CI Field Matching work for CI binding?
It uses your selected CI type and name:value pairs in the Additional Information field to find a matching CI.
When binding directly to a nonhost CI using CI Field Matching, what’s an essential step?
Use Transform and Compose to clear the node field and populate the Additional Information field with identifying attributes.
How does the binding process differentiate between an event with a specified CI type running on an identified host versus directly binding to a non-host CI?
For an identified host, it identifies the host first and then looks for the specified CI type. For direct non-host CI binding, it relies on unique CI attributes.
What might you need to do if all the CI attributes in additional information are included in the matching algorithm?
Use Manual attributes to add the attribute name again with no value, effectively removing them from the matching process.
Why might monitoring tools be configured to provide enriched data for Event Management in ServiceNow?
To better identify the Configuration Item (CI) when generating events.
What is the role of Transform and Compose within the context of Alert CI Binding in Event Management?
It’s used to parse the event data, especially when the key binding data may not always appear against the correct attribute in the event. This aids in populating relevant values and key attributes in the alert.
What is the significance of the IRE when considering CI Identification in Alert CI Binding?
The Identification and Reconciliation Engine (IRE) leverages identification rules specific to the CI class to uniquely identify it, helping to correctly bind alerts.
