Deployment

Once you have customized the input and output mechanisms and written policy files to reflect what the system should look for, you are now ready to deploy it. A simple configuration is with one correlator. This correlator would watch for all the events you care about and produce all the alarms you would ever want.
Another method is to use more than one correlator, but each having their own realm to watch over. This keeps policy files smaller, and each would only contain patterns relevant to a specific realm of interest.
Finally, you could set the correlators hierarchically, so that the alarms from one correlator were the input events to one higher up. This is beneficial for a number of reasons. First, it assists in load-balancing. Since the correlator keeps track of only events that its patterns require, the separate correlators would more effectively use memory. Second, it allows for more human-understandable policy files. Each file would only contain patterns relevant to a specific level of interest.