Security events generated by a number of network devices are gathered and
normalized to produce normalized security events in a common schema. The
normalized security events are cross-correlated according to rules to
generate meta-events. The security events may be gathered remotely from a
system at which the cross-correlating is performed. Any meta-events that
are generated may be reported by generating alerts for display at one or
more computer consoles, or by sending an e-mail message, a pager message,
a telephone message, and/or a facsimile message to an operator or other
individual. In addition to reporting the meta-events, the present system
allows for taking other actions specified by the rules, for example
executing scripts or other programs to reconfigure one or more of the
network devices, and or to modify or update access lists, etc.