×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Defender Agent for SAP 5.9 Reference

Severity mapping

This section provides information about how the Windows agent assigns severity codes when the auto type severity gets configured for the default severity for an event log. 

When you configure a setting of auto for the default severity of the Windows agent (or the log file monitor) the severity of the syslog message, generated by the agent and sent to the syslog collector, is automatically derived based upon the native severity of the message, or by keywords in the message. The exact mapping depends upon the type of log file being monitored, as described in this section.

Note

The default severity of auto can override by keywords configured at the agent, and can also be overridden at the BMC Defender manager. So the severities described herein apply only to the case where no special handling of message keywords.

For further information on default severities and the DefaultSeverity keyword, see CO-sysmsg config file, and CO-sysmsg.cnf file.

Windows application event log severities

The table provides the mapping between the Windows Application event log and syslog messages generated by the agent. 

Windows application log severity

Assigned syslog Severity

Critical

Critical

Error

Error

Warning

Warning

Other

Info

Windows system event log severities

The table provides the mapping between the Windows System event log and the syslog messages generated by the agent. These are similar to the application log, except that messages other than the standard Critical, Error, and Warning categories are mapped as Notice severities (because system events are generally more important than application events).

Windows application log severity

Assigned syslog severity

Critical

Critical

Error

Error

Warning

Warning

Other

Info

Windows security event log severities

The table provides the mapping between the Windows Security event log and syslog messages generated by the agent. Unlike the other event logs, the Windows security log provides only two classes of messages, either Success or Failure. The syslog message severity associated with these message types is mapped, as shown in the following:

Windows security log severity

Assigned syslog severity

Success

Notice

Failure

Error

Other

Debug

Windows log file monitor severities

Unlike the windows event logs, the log file monitor portion of the agent relies strictly on keywords within the message to establish severities. (This permits the agent to monitor arbitrary files that might have no specific event information assigned to a message.) BMC Defender uses a heuristic method of establishing severities based upon the content of keywords within the log files, as shown in the following:

Match keyword

Assigned syslog severity

emergency or extreme or danger, or hazard

Emergency

alert or attention or caution

Alert

critical or important or severe or significant or urgent or immediate

Critical

error or fail or fault or crash or abnormal

Error

warning or caution or terminate

Warning

notice or start or success

Notice

info

Info

debug or ignore

Debug

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Last modified by Aparna Saxena on Jul 31, 2019
defender_agent_windows reference

Comments

Log in or register to comment.

Facility and severity codes
Troubleshooting
© Copyright 2013 - 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.