Does ITIL explain the difference between an Alert and an Event?

Help me please. I'm thrashing around in the morass of Service Operation, trying to get crystal clear on the difference/relationship between an Alert and an Event. Anyone?

P.S. we did skirt around this discussion before


Hi all, This is what i have

Hi all,

This is what i have in my FAQ section to make it easy to understand for a non-IT reader.

Q. What is the difference between an “event” and an “alert”?

A. An event indicated that something has happened. It can be just “information” (i.e. for you to know only), a warning (i.e. something is going wrong) or an exception (i.e. something has went wrong).
 Information events are logged for operational staff used to check the proper operation of the IT services.
 Warning events trigger “alerts” to notify responsible parties to take actions before things go wrong. Alerts are triggered when the IT services or devices approaching its thresholds (i.e. breaking points)
 Exception events are directed into Incident Management Process normally with high priority as something has went wrong already.

Event is the relevant occurence, Alert is a notification

A good answer to your question requires a bit of 'why do you need it' - is it for creating a Event Mgt 'tool', or to explain to those people who are sent to an ITIL Foundations by their manager.
Taking the latter for now - my interpretation of ambiguous ITIL is as follows:

Any detectable occurrence that is relevant for IT is an Event. If you think it is relevant to record that user X logs on, it's an event. If it's relevant when the temperature outside reaches 40 C, it's an event.

If there's any Event, a series of Events, or a set of correlated Events that require special attention - you need to draw attention to it.
A notification to draw attention to one or more Events, is what I call an Alert.
Could be a pop-up for an admin, a work-order in a tool, an email to the sys-admin, an internal service request - whatever is appropriate.

In the ITIL (example) categorization of Events (Information, Warning, Exception) - you could say Warnings are typically related to these Alerts, but not always.

On a side note:
Determining which Events you want to record, or even, which Events you want new services to spawn is an interesting, not clearly identified, task/process/procedure. ITIL says 'making sense' of Events is part of Event Management - and "Service Design" should pay attention to 'Metrics' and 'Service Mgt Systems and Tools' - so they deal with it too.
I call that the 'tactical' part of Event Mgt.

Events and Alerts

I've had this discussion with my customers for years and years.

I've been setting up 'monitoring and alerting' systems for the past 10 years. I haven't read the SO book, so beyond this thread I don't know how ITIL is describing them.

I've used the following in my discussions with my customers, or people on my team, so we are all on the same page.

Data Collection = anything we've (either the customer, or us based on our 'expertise') determined important enough to capture and record. The primary source for reporting.


Disk space utilization every 5 minutes (we don't care what it is, only that we capture/record it)
CPU, Security Log entries, End user emulation transaction times

Events = Any data collected that either has value for immediate action (either automated or manual) or contains information of a 'proactive' nature. Provides additional insight into Incident/Problem Management. Can be used by Problem to trend "events" over time.


Disk space has exceeded a certain threshold (over a period of time (my preference), or occurred once) - Perhaps 50%, or 65%, or 95%
A security log entry of a particular type
End user emulation transactions have failed - from one location or maybe all locations (over a period of time (my preference), or occurred once)

Alerts = Any event that meets or exceeds defined thresholds that require immediate attention/action by 'service providers' (sys admins, DBAs, network engineers, product managers, service managers, service desk). Indicators of Incidents and/or Problems.

Disk space has exceeded a certain threshold - usually something high like 95% and most always over a period of time (to avoid the "false positive")
A security log entry of a particular type
End user emulation transactions have failed - usually from more than 1 location and for a period of time.

Data collection > Events > Alerts
Lots of things > Some things > Few things

Alert must first be an Event which must first be Data that is collected.

Not all Data collected is worthy to be an Event - I just want to log CPU over time so I can graph it later
Not all events are worthy to be an Alert - CPU spiked once on one web server (although if it happens every day, perhaps Prob Mgmt using reports on Events can see this an investigate)
All Alerts should create Incidents and/or Problem tickets. Something is really messed up (or is soon to be) requiring immediate (or near immediate) action/work.

Monitoring vs Events

Agree... I'd say you can call the Data Collection "Monitoring Data".

Regarding, 'All Alerts should create Incidents and/or Problems': You could argue they can create a Service Request (or Standard Change): e.g. no harm done (yet) to any service/user and it's not likely to happen soon, but we would like someone to take a look at it some day soon.

Especially in this area, the adagium comes into play : "it depends on your situation"

Standard Changes

Should Standard Changes exist solely on their own? Meaning, should there be a Standard Change that has no Incident, Problem, or Service Request driving it?

If I have a CSI initiative, that may require a Standard Change - do I create a Service Request that would then drive the Standard Change (it may not be "Problem" or "Incident")? Example - Could be that I noticed that customers don't access data older than 2 years very often, or not at all over the past 6 months. I know that we can move that data to a less expensive Storage solution. That would a) lower the total cost of storage for the service and b) increase performance (smaller data set to search/sort). Maybe moving this isn't a "Standard Change", but let's pretend just to walk through the process. So, how do you move from CSI Registry to Change?

Or what if it is coming from Capacity Management? How do you move from Capacity Management to Change?

I would think that you go through Incident, Problem or Service Request - but do you allow, or think it is okay, to have no particular entry point into Change? Meaning, anything (or nothing) can be the entry point?

I bring this up because you mention Alerts could be an entry point to Change. I am not sure I agree. From Alert, to Problem/Incident/SR, to Change - I think this is appropriate.

that little round hook thingy

As commented above, everyone has an opinion on this. Intuitively I'd like alerts to lead to events, something to be managed. But my opinion is not the point. As an industry we should be able to agree on these things and be consistent.

"No, nurse, when I said scalpel I meant that little round hook thingy"
"Pass me the wrench. No, the wrench for screws"
"Oh I thought the piers were the end bits of the bridge. No wonder it fell down"

That is supposed to be the function of ITIL, to define the generally accepted terminology and practices.
It's fine if you then diverge from that reference framework, but you can document the fact so as to alert consultants, contractors, auditors and new staff.

ITIL should be clear on these things. In this case it is not too bad if people actually read the book properly and study it closely and spend the time with book experts to tease out the correct interpretation, but lots of folk don't have time for that.
Let's get the message agreed, clear, consistent and out there.

the ITIL definition

You raise an important point: ITIL's categorization of Events (Information, Warning, Exception) suggests to those of us who have worked with messaging consoles in the past that an event is any detected system change of state, and an alert is a filtered message requiring human attention or human or system action. Bit then why does it say "of significance" unless there was already some filtering went in to create the event? If I spent enough time studying the holy books or withdrawing on a Practitioner retreat I would no doubt reach enlightenment eventually.

Maybe we should start numbering every sentence: "when David 5:13.7 says 'take not thy neighbour's incident ticket' clearly it is a metaphor and not meant to be interpreted literally. What I think it refers to is..."

Holy matter

When you're looking for divine ITIL enlightenment in this matter, make sure you dont skip the sections on 'Complex Monitor Control Loops' and 'ITSM Monitor Control Loops'. Both with the double feedback loop! Or even the matrix "Reactive<>Proactive" vs "Active<>Passive" Monitoring.

This is one of the best sections of ITIL, as it includes a phrase that got my attention when I first stumbled upon it:

"All of this is interesting theory, but does not explain how the monitor control loop concept can be used to operate IT services." (ITIL(c) 2011, SO

Unfortunately, they scope it to monitoring control loops, and not the rest of ITIL :)

The ITIL Olympics

"Wow, he has performed a Complex Monitor Control Loop with double feedback and Active-Passive Monitoring. The judges have given that an average 9.5"

I try not to over-think some

I try not to over-think some of the ITIL stuff, it will make the head hurt :-) Looking at what we should be achieving through the service design and transition phases, this preliminary filtering should have taken place - whether it be defining thresholds and important states to monitor, setting up alerts for (and automagic response) for fault conditions that cannot/won't be fixed, or building instrumentation into the application or service. Microsoft calls it "Designing for Operations" - google is your friend.

Today the capability of management packs has improved to include some of these important events and correlations. In practice though, often this monitoring tuning is forgotten post-transition when in reality it needs constant feeding and watering just like a garden.

I think diagram 4.1 in the

I think diagram 4.1 in the SO book does a good job of describing the relationships between events, alerts, incidents. Not sure how it relates to the written definitions though. I like that they have drawn a distinction of actions between the warning and exception - not all filtered events should be incidents and certainly taking preventative action (via the warning) is a much more economical option. As for Informational, this needs a bit more pragmatism to it to avoid monitoring overload - we only want to record stuff which is useful - example - do I need to track a login activity for every user - no, but I want to track a login to certain systems for purposes of audit. Agreed that this is a tough concept to get across to students in a short space of time.

Notification vs Alert

I think there is a bit of confusion among readers of ITIL between and "Event Notification" and "Alert" as ITIL treats them. Many thinks (as I used to misinterpret initially too) that Event Notification = Alert.

It is clear from the diagarm 4.1 in ITIL v3 (4.2 in ITIL 2011) and associate description that ITIL treats them differently.

Event - any change of state that is occuring on the system

Event Notification - the notification generated by the CI/system or a monitoring tool that indicates that an event has occured on the CI/Service/System.

Then, after filtering and understanding of the significance, the appropriate response to that particular event is to be decided by event management.

The response could be:
- Trigger an auto-response to that event - running some scripts,reboots etc where the event is well understood (Modelled?)
- Trigger an appropriate process - Logging an incident ticket to trigger Incident mgmt for example
- Alert an appropriate person/specialist who can do the suitable human intervention for that event - email/phone call, SMS etc...

So, in this context, ALERT is just one of the possible response for a particular event. It may be applicable in some cases, while may not be applicable in some...

Hope this helps in the discussion...

Vinod Agrasala

all just ITIL

For the benefit of readers, Gary is referring to Figure 4.1 in the Service Operation book from the ITIL-previously-known-as-V3, which is of course now Figure 4.2 in the ITIL-previously-known-as-3.1-but-now-known-as-ITIL-2011. But hey, as TSO and a third of my readers insist, it is all just ITIL right?

From the service operation

From the service operation book:

"An event can be defined as any detectable or discernible occurrence that has significance for the management of the IT Infrastructure or the delivery of IT service and evaluation of the impact a deviation might cause to the services. Events are typically notifications created by an IT service, Configuration Item (CI) or monitoring tool."

So, yes a little general.

We typically classify Events as either Informational, Warnings or Exceptions, depending on the thresholds which are set.

You usually don't care too much about the Informational events - they can occur thousands of times a day and indicate normal service operation (i.e. someone logged on successfully), so why even track them within your monitoring tool console?

Based on that, I find it useful to consider Alerts as anything you actually want spomeone to take notice of - some or all of the Warning events (depending on where you want to set your thresholds), and all of the Exception events.

an alert is the information and an event is the action?

Adrian, if only it were that simple.

an Event refers to "a change of state that has significance for the management of ..." and an Alert is "a warning that a threshold has been reached, something has changed, or a failure has occurred". What's the difference?

"Events typically require IT Operations personnel to take actions, and often lead to incidents being logged", which is why I usually associate Events with needing to be processed as compared to Alerts as just information. Of course nothing is that clear-cut in ITIL. The Service Operation book also says that ALL alerts need to be handled as events, and notification/alerting is part of event management. So I'm confused again.

Maybe we can say an alert is the information and an event is the action...

P.S. with respect your definition or my definition don't matter here. ITIL attempts to define some standard terms so they are consistent in meaning and agreed. This industry is rife with people saying what THEY think terms mean (including me). That's supposed to be ITIL's job. I'm trying to discern what ITIL says.

This IS confusing

Try to explain this to people in an ITIL Foundation class, where you have limited time and limited text... (sigh)

I have interpreted in the following way:

Anything that has a significance for the the management of the infrastructure is an event. Which means from 'someone logged in' to 'system failed'. Events can be classified as: informational, warning, exceptional.

We have one set of events that we set thresholds for. We call these alerts. So alerts are a subset of events. Because we reach a threshold we have to take special action. This is where it becomes interesting: Are these the ones we would open incidents for ????

This is my interpretation... not saying this is correct, but people seem to accept this... the question of course rises is this THE best practice.

Peter Lijnse

Given that ITIL is all about

Given that ITIL is all about "adopt and adapt" or to put it another way "keep it vague and avoid the blame" I think you can pretty much use most of the terms in what ever way works for you.

In the absence of something definitive I like Peters take on it above and was about to submit something similar along the lines of "an alert is the notification created when an event occurs which exceeds a predefined threshold"

Yes..that's vague enough....perfect :)

Event is what happens and alert is fired as a consequense


Not a by the book definition, simply my understanding:

An event will happen. It happens even if it is not detected and flagged.

An alert is when a monitoring system detects it and raises this fact somewhere for further processing (and potentially triggers a notification as well).

So an Alert is always in response to an event (in other words there is always an event with an alert) but there is not always an alert with an event.

It seems to be clear that

It seems to be clear that ITIL isn't clear about these terms, and there isn't much value trying to make sense out of it based on ITIL. So you have to depend on yourself.

Here what MOF thinks about Event/Alert,

Event: An occurrence within the IT environment detected by a monitoring tool.
Alert: A notification that an event requiring attention has occurred.

I disagree with the Event definition. Based on my understanding of the english language I would prefer to change the definition of Event as stated below. I realize it's very broad but maybe that's just what it is.

Event: A noteworthy occurrence within the IT environment.
Alert: A notification that an event requiring attention has occurred.

I recall my first ITIL slides trying to sell it to management, which included some words like common terminology, standard taxonomy etc..... little did I know then. (still don't know much about ITIL, but learning a lot about ITSM every day).

Osama S.


Please explain then what is an exception. I have noticed that ITIL uses the term but it is not in the glossary.


"Exception" is an old term, so old its from when I was doing this stuff. it means a defined threshold has been exceeded.

Yes, I know

That was not really my question. I meant how exception differs from other ITIL terms.

If a mirrored disk fails it is all of these:
- event
- alert
- exception
- failure
- incident
- problem
- error

I think that the minimum requirement for a framework is that it contains a structured set of terms. Now ITIL has made such a mess of terms like incident and problem that they are worthless. I have written a short column on the subject here:

I teach my customers that customers have problems which IT solves. Solving a customer problem has three stages 1) restore the service 2) fix the broken component, if necessary 3) try to prevent similar customer problems in the future.

These stages need three practices and one is actually kind of missing from ITIL 2011.


PS While exception is not in the glossary, excitement factor is.

Yet again we find ourselves intepreting the great oracle ITIL


This is why you can't and should not run around a customer site shouting ITIL - it contains sharp objects!

I'm calling on my black project automated operations previous life here of 20 years ago - so treat me gently...

I think earlier responders are close here - an event is anything that we can or wish to record about what is happening. It has no implied level of importance. An alert is an event that is of special note because someone or something has indicated an interest in that event. Yes, one or more events can result in an alert, there should be a connection so whomever responds to the alert (notification) can access the event history and detailed records.

Events are moderated (cleaned up), correlated (related), and counted amongst other actions. So I see alerts as more of the notification aspect of an event. "You told me to tell you if this happened - it has!". It can be threshold driven but need not be - contrary to ITIL's definition.

Lets keep incident and the rest out of this for the moment until there is some better appreciation of events and alerts... because although Aale's list is interesting it is missing 'events' that happened prior to the event - for example - 'control barrier failure' - and assumed the event is related to a failure - please note - a valid event could be just information or newsworthy - "Its 5pm Friday and time to start overnight batch", or "two floorpads have gone off in the bank after hours, more than ten feet apart, and we don't know why" (hhmm thats more like two events and an alert!)

So stop trying to 'fix ITIL' just take note its at best a starter pack for those who have not lived event or alert mgt systems, and it will require someone with experience to child proof the room...

Oh a tip - since storage is so much cheaper today than in my youth - you might consider recording and archiving all those events originally deemed just noise and of no interest, just in case problem management wants to have a poke around at a later date....

I'm just listing ITIL concepts

My list just contained the related ITIL concepts I have found.


I do remember being involved in an operation automation project where the goal was to automatically filter the real alerts from the event stream. This happened in late 1980's. Suppose it was popular then.


It was popular then and it still is. Filtering is one area where I believe SOME automation is useful - to improve the signal to noise ratio.

But is it filtering the alerts from the message stream or the events from the alert stream or the alerts from the event stream or... tomayto tomahto

Syndicate content