Enabling syslog TCP reception
By default, BMC Defender Server listens only to UDP messages. You can easily configure the reception of syslog over TCP by enabling the CO-trecv.exe program, which is a standard component of the system and does not require installation of a plug-in or adapter.
The CO-trecv.exe program provides the following functionality:
- The program accepts standard TCP messages generated by the Syslog-NG and Rsyslog programs. These kind of messages are found on a variety of platforms, especially Linux platforms.
- The program supports the CO-tsend.exe program to allow encrypted tunneling of syslog and SNMP Trap messages. For information about the CO-tsend.exe program, see CO-tsend.exe Tunnel Sender program.
The CO-trecv.exe program uses a single configuration file that is read once during the BMC Defender Server framework startup. The configuration file, CO-trecv.cnf, is located in the system directory and you can edit it with a text editor. The file contains the following directives:
Directive | Description |
|---|---|
ListenPort | This is the TCP port that the program listens for tunnel messages sent by the CO-tsend.exe and TUNNEL.exe programs. The default value is TCP port 51462. The value should generally not be changed without exercising caution since this is the default port number used by other parts of the BMC Defender Server system. |
ListenPort-Aux | This is the TCP port that the program listens for Syslog-NG, Rsyslog, and other syslog over TCP messages. The default value is TCP port 514, that is commonly (but not consistently) used for TCP syslog transmissions. It might be necessary for the operator to change this value, depending on the syslog over TCP implementation being used at a site. |
TrapDestPort | This is the location where SNMP traps are relayed to, by default the UDP port 162 on the local machine. This configuration item is required but used only when the CO-systrap.exe adapter is installed at the BMC Defender Server site, and only when using the CO-tsend.exe program to collect SNMP traps at a remote location. Otherwise, the value is not used. |
SyslDestPort | This is the UDP port used by the BMC Defender Server CO-syslog.exe process, that is the central collector of the BMC Defender Server. The default value of 514 should not be changed without also changing the contents of the system\syslog.cnf file (to change the port at which BMC Defender Server listens for external UDP syslog messages. Except for very special circumstances, the default value of 514 is correct and appropriate for all implementations. |
MatchAddress | This is a match pattern that matches the IP address of incoming messages. The default value of *.*.*.* matches any client device. For extra security, this value can limit message reception to a specific device or subnet, useful if there is a small set of CO-trecv.exe clients on the system. |
ErrorSeverity | This is the standard syslog severity value that is used should the CO-trecv.exe program encounter an error, such as a bad encryption key, or other anomalies. The default of severity of error is appropriate for most implementations. |
LogLocal | This directive is by default False. If the operator sets this value to True, then each received message is logged to the CO-trecv.log file (along with other program information.) This is useful for debug but can generate large files, so the value should normally be False to prevent logging of this detailed data. |
EncryptKey | This is the default encryption key seed value used by the CO-tsend.exe program. The value must agree with the configuration found in the CO-tsend.cnf file of the remote program. Generally, this value does not need to be changed. The value should only be modified if all CO-tsend.exe keys are also modified. (BMC Defender Server uses a pseudo-one-time pad type of algorithm, so the actual encryption key is somewhat irrelevant to the encryption process.) |
The BMC Defender Server system requires TCP ports 51462 and port 514 to be available for receiving messages. The operator should check to see a firewall or virus protection program does not block these TCP ports.
If any of the preceding directives of the CO-trecv.cnf file is modified, the CO-trecv.exe program must be stopped and restarted, such as by cycling the BMC Defender Server Framework Service via the Windows Service Manager.
This file should be examined if the CO-trecv.exe program fails to start or abnormally exists.
Other syslog configuration files
In addition to the preceding configuration file, the CO-Syslog.exe program makes use of several other configuration files in the BMC Defender Server\config directory. The BMC Defender Server web interface maintains these files, and you should not modify the files except under the specific direction of BMC Support. Specific files required and used by the CO-Syslog.exe program are as follows:
File name | Description |
|---|---|
Filt.cnf File | This file contains the filters, configured at the web interface, that are immediately applied to any incoming data. The file contains space-delimited records, with one filter per line. The fields filter time, filter hour span, filter address, filter facility, filter severity, filter keyword, and filter count. The filter count is cleared when the CO-syslog.exe program is launched and indicates the number of times that a filter has been used since startup. |
Ipadd.cnf File | This file contains the Address Overrides, configured at the web interface. The Address Overrides are applied to incoming data after filtering. The file contains space-delimited records, with one override per line. The fields are matched address, match facility, match severity, match keyword, and new address. |
Facil.cnf File | This file contains the facility overrides, configured at the web interface. The facility overrides are applied to incoming data after filtering, and after any Address Overrides. The file contains space-delimited records, with one override per line. The fields are matched address, match facility, match severity, match keyword, and new facility. |
Sever.cnf File | This file contains the severity overrides, configured at the web interface. The severity overrides are applied to incoming data after filtering, and after any Address Overrides, and after any facility overrides. The file contains space-delimited records, with one override per line. The fields are matched address, match facility, match severity, match keyword, and new severity. |
Archived log file information
The CO-maint.exe program (that runs nightly) is responsible for maintaining the archive directory, that contains archived log files (in Gzip format) for the system. The number of days to keep this information is configured in the Parms screen of the system. You can keep up to ten years (5000 days) worth of information. In addition to archiving log files, the CO-maint.exe program maintains message digests for each log file, useful for forensics.
The BMC Defender Server archiving function, in addition, to providing long-term storage of message information, also furnishes special functions needed to support auditing and forensics, such as for HIPAA, PCI, and SOX compliance. More information on the Archive function is provided further in this topic. Archived files can be searched via the Reports > Query screen, documented elsewhere.
Log file report information
In addition to archiving data, the CO-maint.exe program, as previously mentioned is responsible for the nightly generation of reports. This information can be e-mailed to end users, or simply stored on the system for historical purposes. The system can keep up to 500 summary reports, generated each month, for a total of more than forty years of data. (Presuming enough disk space exists on the system.
The reporting facility is very simple to get started with, but this facility provides a large amount of flexibility for those sites requiring specific reporting functions. Detailed information on the BMC Defender Server reporting facility is provided in BMC-Defender-Server-reporting.
BMC Defender Server interactive usage
Although the CO-Syslog.exe program is quite usable without any other tools, the BMC Defender Server program provides a highly useful interactive interface that is the target of attention by administrators and users. This interface can easily be navigated by clicking on the tabs at the top of the display. All BMC Defender Server screens related to the syslog processes are located in the Messages and Correlation tabs at the top of the screen.
Related topic