This section explains how to use rules to correlate events in your environment.
Topics include:
Note: You can configure your ESM installation in compact mode; or in distributed mode where you can have a cluster of multiple correlators, aggregators, and other components. Even if you initially installed ESM in compact mode, you can convert your system to distributed mode. The same applies to those who upgraded from a previous ESM version. Previous ESM versions are essentially ESM in compact mode. This installation and configuration process is covered in either ESM Installation Guide or ESM Upgrade Guide. See also ESM 101 for conceptual information, and the ESM Administrator's Guide for distributed correlation management.
Throughout this section, you will see supplemental information specific to distributed correlation which will be flagged accordingly. Unless specified, most of the topics in rules processing apply to both compact and distributed mode.
See also Checking the Status of the Distributed Correlation Cluster for related information.