CO-logmon configuration file

The CO-logmon configuration file (CO-logmon.cnf) contains all parameters and specifications related to the CO-logmon program operation. You can find this file in the same directory as the CO-logmon program, by default /opt/BMC-Datastream or /usr/local/BMC-Datastream.

During installation, the root administrator must edit this file to specify the location of the BMC Defender Server. The administrator must modify the DestinationAddress directive and confirm the DestinationPort configuration directive to specify the location of the server.

After installation, the configuration file is ready to run and does not require modification. However, you can modify the parameters of the syslog messages or monitor new streaming log files. To modify the configuration file, see Modifying-the-configuration-files.

Related topics

Example-of-CO-logmon-cnf

CO-fmon-configuration-file

The CO-logmon.cnf file contains the following sections:

Destination address and port number

The destination address and port number for syslog messages are required at the beginning of the file. You cannot move the directives to another section. If multiple entries exist, only the last entry recorded is used and the other directives are ignored.

They are set during the installation process, but you can modify the values.

The following table provides a description of the directives:

Directive

Description

DestinationAddress

IP address that corresponds to the location of the BMC Defender syslog receiver (typically the IP address of BMC Defender Server) 

If this value is invalid, the CO-logmon program does not send syslog messages.

DestinationPort

UDP port number

The value is not usually changed and is provided for reference.

Default value: 514 (standard UDP port number used by syslog)

The directives are identical to the directives of the CO-logmon.cnf file.

Remote configuration parameters (optional)

You can configure remote capabilities, including the required type of authentication and optional passkey.

If you comment out or remove the directives from the configuration file, then remote configuration is disabled and only manual configuration of the CO-logmon program is permitted.

CO-logmon supports remote configuration directives by BMC Defender Server or the rsmconf.exe remote configuration utility.

The following directives support this function:

Directive

Description

ListenAuthMode

Authentication mode used when processing remote requests

The directive is followed one of the following numbers:

  • 0—No authentication
  • 1—Authentication by source address
  • 2—Authentication by passkey
  • 3—Authentication by both source address and passkey

Default value: 3

ListenPassKey

Passkey used with remote configuration when the ListenAuthMode value is 2 or 3

The value is a simple password. The corresponding password is found in the System > Parameters tab of BMC Defender Server.

ListenPort

TCP port number by which CO-logmon listens for remote requests

The value is not usually changed and is provided for reference.

Default value: 55514

The following parameters are optional:

Parameter

Description

MessagePrefix

Prefix for any message that the system sends

A prefix can help to distinguish messages. For example, you could use a keyword, device name, or organization name as a message prefix.

If you omit this parameter, the message has no prefix.

Default value: hostName userName

MsgDelaySecs

Number of milliseconds to wait after sending a message

Any integer from 10 through 5,000 is valid.

Use this value to limit the number of messages that can be sent (from 10 per second to 12 per minute) and prevent any one syslog process from flooding a syslog message receiver.

If you omit this parameter, the default value is used.

Default value: 100 milliseconds

LogLocal

Whether all syslog messages that CO-logmon sends should be logged to the CO-logmon.log file

If True, messages are logged in CO-logmon.log with any error messages that the program encounters. The process offers a simple way to verify whether UDP messages get dropped.

If False, or if you omit this parameter, the messages are not logged to CO-logmon.log.

Important

CO-logmon.log restarts each time the service starts. Restarting prevents the log file from becoming too large.

Default value: False

For more information, see Message-encryption.

EncryptData

Whether message data encrypts before transmitting

If True, message data encrypts before transmitting. This setting makes the CO-logmon program usable only with the BMC Defender Server.

If False, or if you remove this parameter, the message data is not encrypted before transmitting. For more information, see Message encryption.

Default value: True

MessageFormat

Phrase or keyword flag that controls the message format of all messages from the agent

Common values for this parameter are normal or LEEF, but other values might be available to support special message formats. For other values and variants, contact BMC Support.

This parameter is usually omitted from the configuration file.

Log file monitor specifications

You can configure one or more log file monitors, default facilities, severities, and match patterns that overwrite these defaults. Use the MatchKeyWord directive to configure multiple log files, each with multiple patterns, to control multiple facilities and severities.

For more information, see Log-file-specification-considerations.

The following directives are supported:

Directive

Description

LogFile

Path name to a streaming text log file on the system

You can specify the path name relative to the location of the CO-logmon program or as an absolute path name by using either forward or backward slashes. All the directives that follow, until the next LogFile directive, apply to the specified log file.

This directive can contain time-format values, such as %y, %m, and %d to match (respectively) the two-digit year, two-digit month, or two-digit day.

Example

The file specification /var/logs/f-%y%m%d.log would monitor a file named f-091231.log.

For more information, see Time-format-symbols-for-log-file-names.

LogName

Name of the log file or subsystem that is displayed in the syslog message

The value can be any text string up to 500 characters. You can end the value with a colon (for example, Oracle Data: or HTTP Log File:).

If you omit this directive, the event message is identified with the log file in the message content only.

MaxSizeChange

Maximum size, as an integer value in bytes, that the file can increase during a 500-millisecond interval

If a file size increases beyond the maximum size, a message is triggered.

Use this directive to prevent excessive syslog messages when a file has extremely rapid updates, such as during a new file copy.

If you omit this directive, the default value of 10,000 bytes applies.

LogStatChange

Whether the monitor agent sends a syslog message (with DefaultFacilty and DefaultSeverity) if the file modification time changes

Use this directive to monitor file objects that are not necessarily log files. The file object specified by LogFile can be a directory or any file, including an executable file or configuration file.

Important

You cannot use LogStatChange with MatchKeyword expressions.

If you omit this directive, changes to the file modification times are not monitored.

DefaultFacility

Facility name or official facility number (between 0 and 23) that identifies the default facility code used in all messages that log to the specific file

For more information about valid facilities, see Facilities-and-severities.

If you omit this directive, the default facility is user.

DefaultSeverity

Severity name or official facility number (between 0 and y) that identifies the severity code used in all messages that log to the specific

The value of this directive is commonly disabled or -1, indicating that no message is processed unless it matches one of the UseSeverity patterns (described later in this topic). For more information, see Disabled severity.

For more information about valid severities, see Facilities-and-severities.

If you omit this directive, the default severity is disabled.

UseFacility

Following the DefaultFacility and one or more MatchKeyWord directives, the message facility when followed by a series of match patterns

The  UseFacility operates identically to the Event Log monitor. The directive is followed by a series of match patterns, any of which will cause the UseFacility value to be specified as the message facility.

You can configure multiple UseFacility directives, each followed by multiple MatchKeyWord directives.

UseSeverity

Following the DefaultSeverity and one or more MatchKeyWord directives, the message severity when followed by a series of match patterns

The UseSeverity directive operates identically to the Event Log monitor.

You can configure multiple UseSeverity directives, each followed by multiple MatchKeyWord directives.

MatchKeyWord

Nested under a UseFacility or UseSeverity directive, a single match keyword

The keyword can use * or ? wildcards.

The MatchKeyWord directive operates identically to the Event Log monitor.

If a new log file entry matches the specified pattern, the related severity or facility is used. You can specify multiple patterns.

Any other directive ends the MatchKeyWord list, so the MatchKeyWord directives must all be contiguous within a single UseFacility or UseSeverity block.

Where to go from here

To modify the configuration values, see Modifying-the-configuration-files.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*