Syslog configuration files
The CO-Syslog.exe program makes use of several configuration files in the BMC Defender Server\config directory. The BMC Defender Server web interface maintains these files, and you should not modify the files except under the specific direction of BMC Support. Specific files required and used by the CO-Syslog.exe program are as follows:
File name | Description |
|---|---|
Filt.cnf File | This file contains the filters, configured at the web interface, that are immediately applied to any incoming data. The file contains space-delimited records, with one filter per line. The fields filter time, filter hour span, filter address, filter facility, filter severity, filter keyword, and filter count. The filter count is cleared when the CO-syslog.exe program is launched and indicates the number of times that a filter has been used since startup. |
Ipadd.cnf File | This file contains the Address Overrides, configured at the web interface. The Address Overrides are applied to incoming data after filtering. The file contains space-delimited records, with one override per line. The fields are matched address, match facility, match severity, match keyword, and new address. |
Facil.cnf File | This file contains the facility overrides, configured at the web interface. The facility overrides are applied to incoming data after filtering, and after any Address Overrides. The file contains space-delimited records, with one override per line. The fields are matched address, match facility, match severity, match keyword, and new facility. |
Sever.cnf File | This file contains the severity overrides, configured at the web interface. The severity overrides are applied to incoming data after filtering, and after any Address Overrides, and after any facility overrides. The file contains space-delimited records, with one override per line. The fields are matched address, match facility, match severity, match keyword, and new severity. |
Archived log file information
The CO-maint.exe program (that runs nightly) is responsible for maintaining the archive directory, that contains archived log files (in Gzip format) for the system. The number of days to keep this information is configured in the Parms screen of the system. You can keep up to ten years (5000 days) worth of information. In addition to archiving log files, the CO-maint.exe program maintains message digests for each log file, useful for forensics.
The BMC Defender Server archiving function, in addition, to providing long-term storage of message information, also furnishes special functions needed to support auditing and forensics, such as for HIPAA, PCI, and SOX compliance. More information on the Archive function is provided further in this topic. Archived files can be searched via the Reports > Query screen, documented elsewhere.
Log file report information
In addition to archiving data, the CO-maint.exe program, as previously mentioned is responsible for the nightly generation of reports. This information can be e-mailed to end users, or simply stored on the system for historical purposes. The system can keep up to 500 summary reports, generated each month, for a total of more than forty years of data. (Presuming enough disk space exists on the system.
The reporting facility is very simple to get started with, but this facility provides a large amount of flexibility for those sites requiring specific reporting functions. Detailed information on the BMC Defender Server reporting facility is provided in BMC-Defender-Server-reporting.
BMC Defender Server interactive usage
Although the CO-Syslog.exe program is quite usable without any other tools, the BMC Defender Server program provides a highly useful interactive interface that is the target of attention by administrators and users. This interface can easily be navigated by clicking on the tabs at the top of the display. All BMC Defender Server screens related to the syslog processes are located in the Messages and Correlation tabs at the top of the screen.
Related topic