(This blog post is inspired by the talk that I will be giving at DevOps Talks Conference Melbourne and DevOps Talks Conference Auckland. Hope to...by Matt Stratton
March 4, 2019
Thanks to the DevOps movement, we now understand why software delivery chains that consist of a series of silos are bad. They complicate communication between different teams, leading to delivery delays, backtracking, and bugs.
When it comes to incident management, there is another type of silo to contend with — the kind that separates incident management data from one vendor or product to another. These silos hamper incident resolution, as it makes it more difficult to collect and analyze monitoring data from multiple sources.
How do you break down these silos to keep incident management operations flowing efficiently?
The first step in working past incident management silos is to understand why silos exist in the first place.
The reason is simple: Modern infrastructure consists of diverse hardware and software. Most components have special monitoring needs. They output information in a certain format, according to a certain rhythm, and they require data to be collected in a certain way. The monitoring information associated with each part of the infrastructure, therefore, lives in a silo, because it is not readily comparable to data from other parts of the infrastructure.
As a basic example, take a datacenter that consists of ten bare-metal servers running Windows and another ten bare-metal servers that run Linux. In this scenario, the company would require different monitoring tools for its Windows and Linux servers. Although some of the monitoring information for each type of operating system (such as whether the host is up) would be the same, other data would not be. And either way, the data would need to be collected by tools that are compatible with the operating system in question. Each context, therefore, becomes a distinct silo, with its own miniature ecosystem of monitoring tools and data.
This is just a simple example, by the way. Things are much more complicated in most real-world settings, when you would have not just two different types of bare-metal servers to monitor, but virtual servers running on top of one or more types of hypervisors, workstations running different types of desktop operating systems, and mobile devices powered by a widely varying array of mobile operating systems, versions, and so on.
How do you eliminate the silos that separate each monitoring context within your infrastructure so that you get seamless and holistic monitoring visibility? The solution has two parts.
The first step is to implement an incident management solution that can collect information from diverse types of environments, then forward that information to a central location. This way, engineers can monitor the entire infrastructure from a single vantage point. They don’t need to go looking inside individual silos to monitor different parts of the infrastructure.
Centralized data collection requires an incident management solution that is smart enough to aggregate monitoring information from multiple sources. This is no trivial task; supporting a wide range of environments and endpoints requires integration with many different types of monitoring systems, sometimes even custom tooling.
The second step is one that is easy to overlook. In addition to aggregating data from many monitoring tools and exposing it in a central location, incident management teams also need to translate all of the data into a consistent format.
Data translation is the only way to assure that every engineer is able to interpret and react to alerts from any source. If data is not translated, engineers would have to have special expertise in a particular type of monitoring system or know a certain vendor’s schema, in order to understand data that originated from that system. Making all of the data available in a central location would, therefore, be of little help in breaking down silos, because there would still be tall barriers separating different monitoring contexts.
Consider, for example, the different ways in which Zabbix and Nagios use the term “alias.” On the former monitoring system, an alias basically serves as a shorthand for any type of configuration term. On Nagios, in contrast, an alias is a given name for a host. Its meaning is more specific. If you don’t understand this difference and you see data from both Zabbix and Nagios systems aggregated in a centralized dashboard, things can easily get confusing.
For effective incident management then, you need a solution that can translate vendor- and platform-specific terminology into a single, consistent language. Only with event normalization, such as that enabled by the PagerDuty Common Event Format, can responders easily and accurately interpret data from multiple sources.
The complexity of modern infrastructure makes it difficult to avoid silos. Yet, that does not mean that monitoring information has to live within those silos, as information is only useful when it can be understood and acted upon. By aggregating monitoring information from diverse sources and translating it into a language that anyone on the on-call team can understand, incident management teams can break down the silos that exist within their infrastructure. They will then enjoy seamless communication and agile, real-time response to incidents.
Dunatov, Devin. “Speeding.” Jul 17, 2012. Online image. <https://www.flickr.com/photos/ddunatov/7588797542>