An event clustering system includes a processor that generates reports. An extraction engine is in communication with an infrastructure. The extraction engine receives data from the infrastructure, produces events and populates a database with a dictionary of event or graph entropy. An alert engine receives the events and creates alerts mapped into a matrix, M. A signalizer engine includes one or more of an NMF engine, a k-means clustering engine and a topology proximity engine. The signalizer engine determines one or more common steps from events and produces clusters relating to the alerts and or events. One or more interactive displays provide a collaborative interface a coupled to the extraction and the signalizer engine for decomposing events from the infrastructure. A reporting engine generates a report from at least one of the clusters and the events that are retrieved from the collaborative interface with a source address for each event to assign a graph coordinate in the graph to the event with an optional subset of attributes being extracted for each event and turning that into a vector of the graph. In response to production of the clusters one or more physical changes in a managed infrastructure hardware is made, and in response.