FIDO performs multiple types of correlation.
1) Topology based
* unreachable IPs or nodes based on layer 3 topology [traceroute]
* service IP alarms to ICMP unreachable alarms
* ICMP unreachable alarms to known device interfaces
* LLDP/CDP based correlation, node based or interface based
* port channel/aggregated ethernet members
Correlation can occur in either a module or fido.pl itself. fido.pl correlation rules are described in utils/FidoCorrelation.pm
2) Comment based [aka human intervention]
* items that are tagged with the same comment are group together
3) Alarm attribute based [fido_group_correlation.yaml]
* As of 2014/03/08, only applies to alarms that have not been correlated based on topology or comment based. Expired comments still count as comments.
* Attributes of alarms can be examined and if a positive match is made, the alarm is added to the evaluated group. An alarm can be a part of multiple groups; groups are then evaluated in priority order.
1) [./bin/update/update_icmp_ips.pl]: when selecting a PTR for an IP, if there is more than one, the device with the highest priority wins. 2) [./lib/FidoCorrelation.pm]: When doing topology correlation I try to rely on l2 (CDP/LLDP) or l3 traceroute data based on distance from root node. If there is a break in topology continuity (for example, not CDP path from root to device but there is between two devices) the topology importance dictates which alarm should be the parent vs child from a correlation perspective.
This value is calculated by $FIDO/bin/update/update_topology_info.pl.