Practical Considerations for Selecting Targets
My Nokia smartphone drives me crazy alerting me to things that I don’t need to know, that I can’t do anything about, and that interfere with basic operations (such as making phone calls). One particularly annoying message, “Packet Data Started,” often appears just as I’m beginning to dial a number, forcing me to acknowledge the message and restart my number dialing. Nokia thoughtfully included this feature to keep users without unlimited data plans informed that their phone is about to incur data charges. In my case, I have no need to see the message, since I have an unlimited data plan.
Don’t configure your systems like my smartphone, collecting events for which you don’t intend to take action. If you’re able to fully monitor a system, but you can’t do anything about the events that are generated, why bother monitoring it? Event collection is always necessary to support investigations. Even when you’re not actively monitoring events, you must collect the events to support incident response. For targeted monitoring, however, events that you cannot mitigate are a distraction and should not be alerted. For example, Figure 4-6 shows an Oracle alert from a Security Information Manager (SIM) system.

Figure 4-6. Oracle Application Server alert