CO-sysmsg.cnf file
This topic provides an example of CO-sysmsg.cnf file, that is the central configuration file used by the BMC Defender syslog message service. An administrator or system developer can edit this file to specify the facility and severity codes used by the Event Log monitor. The file also allows users to monitor arbitrary streaming log files on the system (that is, any file continuously appended, such as Oracle error logs, HTTP server logs, and many other types of log files.)
The CO-sysmsg.cnf file is documented in detail within config file. As stated in that section, the configuration file does not necessarily ever have to be modified by you. The default configuration, created by the installation utility, is adequate for many (perhaps most) environments. However, if you want to create a highly customized installation, targeting specific types of event log messages, that capability readily exists through the directives in the file.
This file resides in the same directory as the CO-sysmsg.exe program (that corresponds to the BMC Defender syslog message windows service). The file provided here is the default configuration that comes with the system.
# CO-Sysmsg, CorreLog Syslog Message Service Configuration File.
# See "CorreLog Windows Tool Set Reference Manual" for detailed notes.
# Copyright (c) 2008 - 2018, CorreLog, Inc. All rights reserved.
# http://www.correlog.com
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The following two items are the only items actually required.
# They are configured manually, or by the installation procedure,
# and are not affected by remote configuration operations.
DestinationAddress 127.0.0.1
DestinationPort 514
# Zero to eight alternate IP addresses can be listed below:
AuxAddress -1
# Parameters used for remote configuration of this process via the
# CorreLog web interface. The user can comment these values out to
# disable remote configuration. The "ListenAuthMode" can take values
# 0=No Auth, 1=Source Address, 2=PassKey, 3=Address and Key. These
# values cannot be changed via remote configuration.
ListenAuthMode 3
ListenPassKey Default
ListenPort 55514
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# These are optional. Consult the Win32 agent user's manual for info.
# MessagePrefix CorreLog
# MsgDelayMsecs 10
# MaxMessageSize 500
# LogLocal True
# EncryptData True
# MarkerMessage Mark – Host: %COMPUTERNAME% alive.
# MarkerMinutes 20
# Deduplicate 3
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The next section provides an optional list of event logs, the default
# facility for eventlog messages, and optional special keywords that
# change the default facility and severity of messages. Each event
# log has a separate specification.
# Including the three standard Event Logs, a maximum of 10 different
# Event Logs can be specified, each with a virtually unlimited number
# of UseFacility and UseSeverity combinations.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The following parameters apply to the Windows "Application" log.
Eventlog Application
DefaultFacility user
DefaultSeverity auto
# User can configure other "Application" severities and facilities here.
# UseFacility local7
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseFacility local8
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity debug
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity critical
# MatchKeyWord keyword
# MatchKeyWord keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The following parameters apply to the Windows "System" log.
Eventlog System
DefaultFacility system
DefaultSeverity auto
# User can configure other "System" severities and facilities here.
# UseFacility local7
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseFacility local8
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity debug
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity critical
# MatchKeyWord keyword
# MatchKeyWord keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The following parameters apply to the Windows "Security" log.
# This particular event log can be quite busy, so the default severity
# is set here to "disabled", which requires particular matches to be
# explicitly listed. The following are typical, and may be sufficient
# for many security applications.
Eventlog Security
DefaultFacility auth
DefaultSeverity disabled
UseSeverity info
MatchKeyWord bad password
MatchKeyWord successful logon: * type: 2
UseSeverity notice
MatchKeyWord change password attempt
MatchKeyWord account deleted
MatchKeyWord account disabled
UseSeverity warning
MatchKeyWord policy change
MatchKeyWord account created
MatchKeyWord account enabled
UseSeverity error
MatchKeyWord account locked out
# User can configure other "Security" severities and facilities
# here.
# UseFacility local7
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseFacility local8
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity debug
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity critical
# MatchKeyWord keyword
# MatchKeyWord keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The next section provides a list of filenames, match keywords and
# the facility and severity of the resulting Syslog message.
# NOTE: After starting the "LogFile" section, no further "EventLog"
# directives should appear in the file.
# LogFile /program files/file1.log
# LogName FILE1:
# Encoding Default
# MaxSizeChange 10000
# DefaultFacility user
# DefaultSeverity disabled
# UseFacility local1
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseFacility local2
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity debug
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity critical
# MatchKeyWord keyword
# MatchKeyWord keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The above list can be repeated multiple times, to specify various
# streamling log files, match patterns, and severities. A maximum
# of 10 different log files can be specified, each with a virtually
# unlimited number of UseFacility and UseSeverity combinations.
# LogFile /program files/file2.log
# LogName FILE1:
# Encoding Default
# MaxSizeChange 10000
# DefaultFacility user
# DefaultSeverity disabled
# UseFacility local1
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseFacility local2
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity debug
# MatchKeyWord keyword
# MatchKeyWord keyword
# UseSeverity critical
# MatchKeyWord keyword
# MatchKeyWord keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# END OF FILE
CO-sysmsg config file
The CO-sysmsg.cnf file contains all the parameters and specifications related to the programs operation. This file is found in the same directory as the CO-sysmsg.exe program, that by default is the C:\installationDirectory\wintools\CO-sysmsg.cnf file.
The editing of this file is not required. The installation dialog creates a version of this file that is adequate for many (and perhaps most) situations. However, if you want to fine tune the parameters of the syslog messages, or to monitor streaming log files in addition to the Windows event logs, or need to change the location of the BMC Defender Server destination, the file can be edited with a standard text editor, as explained here. The file can also be modified via the remote configuration functions as detailed in following sections of this space.
If the configuration file changes via a manual edit, you must stop the CO-sysmsg.exe service and restart the service. Any errors detected while reading the configuration file are logged to the CO-sysmsg.log file, in the same directory as the CO-sysmsg.exe program and CO-sysmsg.cnf file. If the configuration file is changed via a remote configuration operation, no restart of the CO-sysmsg.exe program is required.
Detailed notes on this file, possibly of interest to administrators or developers, are provided in this section.
BMC Defender Agent for Windows configuration file directives and help
The CO-sysmsg.cnf file contains all the parameters and specifications related to the program's operation. This file is found in the same directory as the CO-sysmsg.exe program, that is, the C:\installationDirectory\wintools\CO-sysmsg.cnf file by default.
There is no need to edit this file. The installation creates a version of this file that should be adequate for most situations. However, you can edit the file via the Config.exe program (available in the Installer's Start menu) if you want to do the following:
- Fine-tune the parameters of the syslog messages.
- Monitor streaming log files in addition to the Windows event logs.
- Change the location of the BMC syslog destination.