Spent some time reading literature around aggregating or combining event
alerts to see what the current state of the art is. Lots of information
about describing combinations of events (e.g. if A followed by B followed
by (C or D)) or filtering repeated events, but not much on combining
similar events from multiple monitors/locations. I'll look into this again
I think, but for now my simple rules based on intersecting event sources
or targets within a few minutes of each other will suffice.

Wrote most of the structure for the event aggregation program and have it
working for my test input. Event information is accepted over a socket
from any number of sources and written to a database. Lists are maintained
of similar events (in time and location) which new events can be added to.
Event group information is also written to the database and updated as the
group membership expands.

After some discussion with Shane we've come up with a simple protocol to
communicate event information between the various detectors and the event
aggregator. I'm now in the process of updating the simple text based
protocol with the new one and getting my detectors to interoperate in a
live fashion (rather than through reading text files like the initial
prototype used).