Configure Facility Override screen

The Configure Facility Override screen is accessed by clicking on the Config tab, and then selecting Overrides, and then selecting Facility. From that location, the operator can view, add, or edit the list of message facility overrides. A depiction of this screen is shown as follows:

Facility Overrides, defined by this screen, cause the facility code in a message to be replaced (under specific conditions) with a new facility code, thereby cataloging the message differently. In particular, operators can use this capability to define new facility codes, that is a major extension to the syslog protocol standard.

The preceding screen provides a list of all the Facility Overrides that are applied to messages immediately after filtering and after any Address Overrides have been applied (as discussed in the previous screen.)

New Facility Overrides can be added by clicking AddNew option. An existing override can be edited or deleted by clicking Edit Override option in the first row of the table. Apply option permits you to change the sort order.

Each Facility Override consists of five different values, shown in the table. To override a message, all of the first four fields must match the event message, similar to the Device Override screen previously described.

The last column of the table indicates the name of the facility that is logged whenever a message is received that matches the first four fields of the table entry. This facility can be one of the standard 24 facility codes of syslog protocol, or can be a new facility defined by you.

Facility Override screen controls

At the top of the display are controls that allow you to sort the list, or add a new override to the list. To modify the sorting order, the operator makes adjustments and clicks Apply option. This refreshes the screen with the latest settings. Clicking on tab option also refreshes the screen, but sets the order mode to Default, that displays records in the order in which they were added to the system.

Instructions on how to add, edit, and delete entries are provided in the description of the Configure Filters screen. To add an entry, click AddNew option. To edit an existing entry, click Edit option. To delete an existing entry, click Edit option and then click Delete option.

Defining new facilities

One of the important uses of this screen is to permit the creation of new facility codes. The syslog protocol standard defines 24 different facility codes. Some of these codes, such as UUCP, are deprecated. This means that (depending upon the craftsmanship of the syslog message designer) this message facility code is sometimes not as useful as it should be.

Using the Facility Override screen, operators can change facilities based upon any field of the message, in particular the message content.

This new facility is shown on the Search Messages screen, and in the Facilities Catalog screen. It can also be used with correlation functions.

You can create lists of keywords that change the facility code, that can affect cataloging and message routing. There is no limit to the number of new facility codes thatBMC Defender Server can create.

Facility Overrides screen, special notes

These screens all perform similar operations, and have similar controls. What distinguishes these screens is the particular field in the incoming message that is edited and replaced.

Access to this screen is limited to admin type logins. If the current login has user or guest access, then the screen might be viewed, but you are blocked when clicking AddNew or Edit option. Only admin type logins can modify system data.

Before any data is saved or modified it is checked. If the check fails, then you must click back option in order to fix the problem, or click on the tab to restart the edit session.

One special check that requires explanation is that you cannot simply click AddNew option and then click Commit, because this would result in an entry that would override ALL messages on the system. (This is because the Add New Override screen uses defaults that match the most messages, to assist the operator in making small adjustments to selectively override messages.)

A message might match many different overrides. In this case, the first override matched is used.