CO-sysmsg.cnf file


This topic provides an example of CO-sysmsg.cnf file, that is the central configuration file used by the BMC Defender syslog message service. An administrator or system developer can edit this file to specify the facility and severity codes used by the Event Log monitor. The file also allows users to monitor arbitrary streaming log files on the system (that is, any file continuously appended, such as Oracle error logs, HTTP server logs, and many other types of log files.)

The CO-sysmsg.cnf file is documented in detail within config file. As stated in that section, the configuration file does not necessarily ever have to be modified by you. The default configuration, created by the installation utility, is adequate for many (perhaps most) environments. However, if you want to create a highly customized installation, targeting specific types of event log messages, that capability readily exists through the directives in the file.

This file resides in the same directory as the CO-sysmsg.exe program (that corresponds to the BMC Defender syslog message windows service). The file provided here is the default configuration that comes with the system.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# CO-Sysmsg, CorreLog Syslog Message Service Configuration File.
# See "CorreLog Windows Tool Set Reference Manual" for detailed notes.
# Copyright (c) 2008 - 2018, CorreLog, Inc. All rights reserved.
# http://www.correlog.com
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The following two items are the only items actually required.
# They are configured manually, or by the installation procedure,
# and are not affected by remote configuration operations.
DestinationAddress  127.0.0.1
DestinationPort     514
# Zero to eight alternate IP addresses can be listed below:
AuxAddress          -1
# Parameters used for remote configuration of this process via the
# CorreLog web interface. The user can comment these values out to
# disable remote configuration. The "ListenAuthMode" can take values
# 0=No Auth, 1=Source Address, 2=PassKey, 3=Address and Key. These
# values cannot be changed via remote configuration.
ListenAuthMode      3
ListenPassKey       Default
ListenPort          55514
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# These are optional. Consult the Win32 agent user's manual for info.
# MessagePrefix     CorreLog
# MsgDelayMsecs     10
# MaxMessageSize    500
# LogLocal          True
# EncryptData       True
# MarkerMessage     Mark – Host: %COMPUTERNAME% alive.
# MarkerMinutes     20
# Deduplicate       3
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The next section provides an optional list of event logs, the default
# facility for eventlog messages, and optional special keywords that
# change the default facility and severity of messages. Each event
# log has a separate specification.
# Including the three standard Event Logs, a maximum of 10 different
# Event Logs can be specified, each with a virtually unlimited number
# of UseFacility and UseSeverity combinations.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The following parameters apply to the Windows "Application" log.
Eventlog            Application
DefaultFacility     user
DefaultSeverity     auto
# User can configure other "Application" severities and facilities here.
# UseFacility       local7
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseFacility       local8
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       debug
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       critical
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The following parameters apply to the Windows "System" log.
Eventlog            System
DefaultFacility     system
DefaultSeverity     auto
# User can configure other "System" severities and facilities here.
# UseFacility       local7
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseFacility       local8
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       debug
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       critical
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The following parameters apply to the Windows "Security" log.
# This particular event log can be quite busy, so the default severity
# is set here to "disabled", which requires particular matches to be
# explicitly listed. The following are typical, and may be sufficient
# for many security applications.
Eventlog            Security
DefaultFacility     auth
DefaultSeverity     disabled
UseSeverity         info
MatchKeyWord        bad password
MatchKeyWord        successful logon: * type: 2
UseSeverity         notice
MatchKeyWord        change password attempt
MatchKeyWord        account deleted
MatchKeyWord        account disabled
UseSeverity         warning
MatchKeyWord        policy change
MatchKeyWord        account created
MatchKeyWord        account enabled
UseSeverity         error
MatchKeyWord        account locked out
# User can configure other "Security" severities and facilities
# here.
# UseFacility       local7
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseFacility       local8
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       debug
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       critical
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The next section provides a list of filenames, match keywords and
# the facility and severity of the resulting Syslog message.
# NOTE: After starting the "LogFile" section, no further "EventLog"
# directives should appear in the file.
# LogFile           /program files/file1.log
# LogName           FILE1:
# Encoding          Default
# MaxSizeChange     10000
# DefaultFacility   user
# DefaultSeverity   disabled
# UseFacility       local1
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseFacility       local2
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       debug
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       critical
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The above list can be repeated multiple times, to specify various
# streamling log files, match patterns, and severities. A maximum
# of 10 different log files can be specified, each with a virtually
# unlimited number of UseFacility and UseSeverity combinations.
# LogFile           /program files/file2.log
# LogName           FILE1:
# Encoding          Default
# MaxSizeChange     10000
# DefaultFacility   user
# DefaultSeverity   disabled
# UseFacility       local1
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseFacility       local2
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       debug
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# UseSeverity       critical
# MatchKeyWord      keyword
# MatchKeyWord      keyword
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# END OF FILE

CO-sysmsg config file

The CO-sysmsg.cnf file contains all the parameters and specifications related to the programs operation. This file is found in the same directory as the CO-sysmsg.exe program, that by default is the C:\installationDirectory\wintools\CO-sysmsg.cnf file.

The editing of this file is not required. The installation dialog creates a version of this file that is adequate for many (and perhaps most) situations. However, if you want to fine tune the parameters of the syslog messages, or to monitor streaming log files in addition to the Windows event logs, or need to change the location of the BMC Defender Server destination, the file can be edited with a standard text editor, as explained here. The file can also be modified via the remote configuration functions as detailed in following sections of this space.

If the configuration file changes via a manual edit, you must stop the CO-sysmsg.exe service and restart the service. Any errors detected while reading the configuration file are logged to the CO-sysmsg.log file, in the same directory as the CO-sysmsg.exe program and CO-sysmsg.cnf file. If the configuration file is changed via a remote configuration operation, no restart of the CO-sysmsg.exe program is required.

Detailed notes on this file, possibly of interest to administrators or developers, are provided in this section. 

Note

You do not need information or installation and use the CO-sysmsg.exe program, but is provided only to support more advanced applications and requirements.

BMC Defender Agent for Windows configuration file directives and help

The CO-sysmsg.cnf file contains all the parameters and specifications related to the program's operation. This file is found in the same directory as the CO-sysmsg.exe program, that is, the C:\installationDirectory\wintools\CO-sysmsg.cnf file by default.

There is no need to edit this file. The installation creates a version of this file that should be adequate for most situations. However, you can edit the file via the Config.exe program (available in the Installer's Start menu) if you want to do the following:

  • Fine-tune the parameters of the syslog messages.
  • Monitor streaming log files in addition to the Windows event logs.
  • Change the location of the BMC syslog destination. 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*