Example of CO-logmon.cnf
CO-logmon.cnf file is the central configuration file that the BMC Defender syslog message service uses. An administrator or system developer can edit this file to specify the facility and severity codes that the Event Log monitor uses. CO-logmon.cnf also allows you to monitor arbitrary streaming log files on the system (that is, any file that continuously appends, such as Oracle error logs, HTTP server logs, and many other types of log files).
As stated in CO-logmon-configuration-file, the configuration file does not necessarily require modification. The default configuration, which the installation utility creates, is adequate for most environments. However, if you want to create a highly customized installation, targeting specific types of event log messages, you can do so by modifying the directives in CO-logmon.cnf.
This file resides in the same directory as the CO-logmon program (which corresponds to the BMC Defender syslog Message UNIX Service.)
The following example shows the default CO-logmon.cnf file:
# CO-Logmon, BMC-Defender Log Monitor Message Service Configuration File.
# LINUX Version
# See "BMC-Defender Unix Tool Set Reference Manual" for detailed notes.
# Copyright (c) 2009 - 2018, CorreLog, Inc. All rights reserved.
# Copyright 2018 - 2019, BMC Software, Inc. http://www.bmc.com
# All rights reserved.
# DO NOT DISCLOSE.
# The following two items are the only items actually required.
# They are configured manually, or by the installation procedure,
# and are not affected by remote configuration operations.
# The location of the BMC-Defender server (or other syslog host) must
# be configured below. The value must be properly configured by the
# administrator
DestinationAddress 127.0.0.1
DestinationPort 514
# Parameters used for remote configuration of this process via the
# BMC-Defender web interface. The user can comment these values out to
# disable remote configuration. The "ListenAuthMode" can take values
# 0=No Auth, 1=Source Address, 2=PassKey, 3=Address and Key. These
# values cannot be changed via remote configuration.
ListenAuthMode 0
ListenPassKey Default
ListenPort 55514
# Prefix all messages with the computer hostname.
MessagePrefix Location: %HOSTNAME% -
# Send this message periodically:
MarkerMessage Linux Agent Running.
MarkerMinutes 30
# The next section provides a list of filenames, match keywords and
# the facility and severity of the resulting syslog message. The
# following default values can be augmented or modified.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LogFile /var/log/secure
LogName Security
MaxSizeChange 10000
DefaultFacility security
DefaultSeverity auto
UseSeverity error
MatchKeyWord fail
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LogFile /var/log/auth.log
LogName Auth
MaxSizeChange 10000
DefaultFacility auth
DefaultSeverity auto
UseSeverity error
MatchKeyWord fail
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LogFile /etc/passwd
LogName Password File:
LogStatChange enabled
DefaultFacility audit
DefaultSeverity warning
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LogFile /etc/group
LogName Groups File:
LogStatChange enabled
DefaultFacility audit
DefaultSeverity warning
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LogFile /etc/sudoers
LogName Sudoers File:
LogStatChange enabled
DefaultFacility audit
DefaultSeverity warning
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LogFile /etc/hosts
LogName System Host File:
LogStatChange enabled
DefaultFacility audit
DefaultSeverity warning
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# Force all output messages to be in UTF-8 character encoding.
# This is often necessary in Z/OS USS environments that send messages
# to a Windows or Linux system.
#
ForceUTF8output true
# END OF FILE