Severity mapping
This section provides information about how the Windows agent assigns severity codes when the auto type severity gets configured for the default severity for an event log.
When you configure a setting of auto for the default severity of the Windows agent (or the log file monitor) the severity of the syslog message, generated by the agent and sent to the syslog collector, is automatically derived based upon the native severity of the message, or by keywords in the message. The exact mapping depends upon the type of log file being monitored, as described in this section.
Note
The default severity of auto can override by keywords configured at the agent, and can also be overridden at the BMC Defender manager. So the severities described herein apply only to the case where no special handling of message keywords.
For further information on default severities and the DefaultSeverity keyword, see CO-sysmsg config file, and CO-sysmsg.cnf file.
Windows application event log severities
The table provides the mapping between the Windows Application event log and syslog messages generated by the agent.
Windows application log severity | Assigned syslog Severity |
---|---|
Critical | Critical |
Error | Error |
Warning | Warning |
Other | Info |
Windows system event log severities
The table provides the mapping between the Windows System event log and the syslog messages generated by the agent. These are similar to the application log, except that messages other than the standard Critical, Error, and Warning categories are mapped as Notice severities (because system events are generally more important than application events).
Windows application log severity | Assigned syslog severity |
---|---|
Critical | Critical |
Error | Error |
Warning | Warning |
Other | Info |
Windows security event log severities
The table provides the mapping between the Windows Security event log and syslog messages generated by the agent. Unlike the other event logs, the Windows security log provides only two classes of messages, either Success or Failure. The syslog message severity associated with these message types is mapped, as shown in the following:
Windows security log severity | Assigned syslog severity |
---|---|
Success | Notice |
Failure | Error |
Other | Debug |
Windows log file monitor severities
Unlike the windows event logs, the log file monitor portion of the agent relies strictly on keywords within the message to establish severities. (This permits the agent to monitor arbitrary files that might have no specific event information assigned to a message.) BMC Defender uses a heuristic method of establishing severities based upon the content of keywords within the log files, as shown in the following:
Match keyword | Assigned syslog severity |
---|---|
emergency or extreme or danger, or hazard | Emergency |
alert or attention or caution | Alert |
critical or important or severe or significant or urgent or immediate | Critical |
error or fail or fault or crash or abnormal | Error |
warning or caution or terminate | Warning |
notice or start or success | Notice |
info | Info |
debug or ignore | Debug |
Comments
Log in or register to comment.