Using BMC Defender File Integrity Monitor Adapter

At many sites, the entire usage of BMC Defender FIM Adapter consists of installing the program (as discussed in the previous section) and then rarely if ever visiting that installation again. The BMC Defender FIM Adapter does not require program maintenance and does not interfere with other system processes. The system configuration file (discussed in the next section of this space) is ready-to-run and does not require any customization, other than the destination syslog host supplied by the installation dialog.

However, the BMC Defender FIM Adapter Agent programs have various capabilities available for general users, documented in this section. Specifically, the CO-Fmon.exe program has a comprehensive configuration file that allows tailoring of the directories and files that are periodically scanned. Additionally, you can customize various parameters of the agent, can create a new Image file for the agent, and can run checks of the system on demand.

This section provides detailed notes on the BMC Defender FIM Adapter command-line options and application notes suitable for use by administrators and developers who need to extend the Windows syslog monitoring capabilities of their organization. The section would be of interest to other users who need to assess the capabilities of the BMC Defender FIM Adapter tools and syslog protocol in general.

Line arguments

The CO-Fmon.exe program contains various command-line options that allow the program to execute at a command prompt. While you never require these command-line options, it might facilitate certain user operations, especially in batch files. The various options of the program are as follows:

CO-Fmon –install	The –install option causes the program to be installed as the BMC Defender FIM Adapter service in the Windows Service Manager. If the service is already installed, no action occurs. This is normally executed by the CO-install.exe program, but can be executed manually to re-install the service.
CO-Fmon –remove	The –remove option removes the program from the Windows Service Manager, first stopping the service (as needed). This is normally executed by the CO-uinstall.exe program, but can be executed manually to uninstall the service.
CO-Fmon –start	The –start option starts the BMC Defender FIM Adapter service, identical to starting the service via the Windows Service Manager, or executing the NET START CORRELOG FILE command. If the service has already started, this option has no effect.
CO-Fmon –stop	The –stop option stops the BMC Defender FIM Adapter service, identical to ending the service via the Windows Service Manager, or executing the NET STOP CORRELOG FILE command. If the service has already stopped, this option has no effect.
CO-Fmon -mode auto \| manual \| disable	The –mode option must be followed by the keyword auto, manual, or disable, and be modified by the BMC Defender FIM Adapter service startup mode, identical to making this modification via the Windows Service Manager.
CO-Fmon –permit	The –permit option tests the permissions of the user to access the Windows Service Manager. The program displays the status of the permissions, as either available or not.
CO-Fmon –foreground	The –foreground option executes the CO-fmon.exe program as a foreground process, without the service manager. In addition to sending syslog messages to the receiver, the program displays any internal error messages or warnings, and additionally displays message to standard output.
CO-Fmon –generate	The –generate option is provided mainly for extensibility or system-level debug, and causes the CO-fmon.img file to be generated on the system, listing all the files specified in the CO-fmon.cnf file. This allows you to manually generate a new Image File, that serves as the baseline for detecting changes on the system. (See section CO-fmon.img—Image File.)
CO-Fmon –diff	The –diff option is provided mainly for extensibility or system-level debug and causes the CO-fmon.stt file to be generated on the system, listing all the file changes. The option generates a new listing, compares the listing to the CO-fmon.img file, and generates syslog messages for each change. This allows you to manually generate a new difference list on the system.
CO-Fmon –help	The –help option displays brief help on the preceding options.

Note

The CO-Fmon.exe program must be executed with at least one command-line argument. One of these command-line arguments is required for interactive usage. If the program is executed with no arguments, the program either hangs, or exits with no message. (This is the mode of operation used by the Windows Service Manager.)

Exe utility

The BMC Defender FIM Adapter includes a utility that permits remote configuration changes of the CO-Fmon.exe program. You can find the utility in the system\rfmconf.exe file location of the main BMC Defender Server. The utility allows an administrator (with authentication and security) to remotely change the configuration of the CO-sysmg.exe program, assisting in the configuration and maintenance of the program.

You can discuss the configuration of the BMC Defender FIM Adapter in detail in the sections that follow. Although it might never be necessary to change the default settings of the CO-Fmon.exe program, it might be the case that match patterns, log file monitors, and other parameters need to be maintained, especially during the initial setup and configuration of the system.

The Rfmconf.exe program allows you to download and upload the configuration file from a CO-Fmon.exe program. When uploading changes, the new configuration immediately takes effect in the CO-Fmon.exe program without requiring a restart of the service. Extensive checks and security features are incorporated into the system as explained in detail in the sections that follow.

Notes

The Rfmconf.exe program is agreeable to use in batch files, hence an administrator can easily apply large numbers of changes to an enterprise.
The BMC Defender Server itself can effect these changes via the web interface. These remote configuration features are discussed in Remote-configuration-via-the-rfmconf-exe-utility.

Configuration items

In addition to specifying the destination address and port number, the configuration file contains a number of other settings that can be used to specify log files (in addition to the Win32 event log files), as well as match patterns that set the facility and severities of the various syslog messages.

The file contains the following sections:

Destination address and port number—The top of the file contains the destination and port number for syslog messages, both are required for all configurations of the agent. The destination address specifies a hostname or IP address. The port number is usually not modified (and is the default UDP port 514, appropriate for syslog messages).

Remote configuration parameters—The next section of the file contains information regarding the remote configuration capability of the program, including the type of authentication and optional passkey required to permit remote configuration.

Auxiliary addresses—The next section of the file contains optional auxiliary addresses. These addresses can be used to forward the syslog information for up to eight different auxiliary addresses.

Optional parameters—Following the preceding fields, you can specify ancillary parameters, such as whether encryption is to be used. These optional parameters apply to all event log and log file monitors configured in later sections.

Event log specifications—Following the Optional parameters section are multiple entries that list all the Win32 event logs and the facilities to use for each event log. You can configure multiple match patterns for multiple facilities and severities using the MatchKeyWord directive.

Log file monitors—Following the event log specifications are multiple entries that allow you to specify zero or more streaming log files, that can be continuously monitored by the program. You can configure multiple log files, each with multiple patterns to control multiple facilities and severities, using the MatchKeyWord directive.

File Monitoring

In addition to monitoring the Windows event logs, you can use CO-sysmsg.exe program to monitor multiple and arbitrary streaming log files on the system. You can use this function independent of the Windows event log and permits an administrator to instrument special log files, such as the Apache HTTP Server logs, Oracle database error logs, and many other logs on the system.

You can monitor only streaming text type log files. That is, the log file must append with text information, with new information tacked on to the end of the file. The program cannot monitor files that continuously change size or are written in reverse chronological order, or are not mainly ASCII text. Fortunately, this type of log file is uncommon; the vast majority of error logs, transfer logs, and transaction logs are streaming text, growing in size, and reset only occasionally. You can monitor these log files quite easily.

The Log file monitoring capability is an integral part of the CO-sysmsg.exe program and is quite powerful. This function, by itself, might very well justify the installation of the CO-sysmsg.exe program irrespective of whether an administrator wants to monitor the native Windows event logs.

Additional Notes

The BMC Defender Syslog Message service configuration file resides in the same directory as the CO-sysmsg.exe executable and is the CO-sysmsg.cnf file. By default, this file locates in the installationDirectory\wintools directory.
This file is read on service startup and contains the name of the destination host, as well as other directives.
The file does not need to be modified and comes ready-to-run. However, you can tailor the file with match patterns that filter and set the severities and facilities associated with event log messages.
The file has an additional section (that does not require or interact with the event log monitors) that allows you to specify up to 50 different streaming log files to get monitored. This works independent of the event log monitor, and is extremely useful for instrumenting arbitrary system log files, such as those associated with Oracle and Apache.
Log file paths (used by the log file monitor) can be dynamically derived to contain dates and times using standard time specifications incorporated as part of the pathname.
Log file paths (used by the log file monitor) can contain wildcards (either an asterisk (*) to match multiple characters, or a question mark (?) to match a single character). In this case, the file that matches the wildcard and has recently modified on the system is used as the operant file.
The agent can contain a marker function that permits a "heartbeat" type indication to be sent at periodic intervals. This heartbeat can be used to schedule periodic activities, but cannot coordinate to a particular time of day such as midnight or noon.
The agent can send data to multiple IP Addresses using the AuxAddress directive. Zero to eight auxiliary addresses can be defined. These addresses are not authorized to reconfigure the agent remotely, and cannot be encrypted, but otherwise serve as destinations for all syslog messages generated by the program.
The CO-sysmsg.log file contains a transcript of actions (and errors) encountered during the execution of the agent. This file is useful for diagnosing system-level problems. The file gets created in the same folder as the CO-sysmsg.exe program.
The LogLocal directive within CO-sysmsg.cnf configuration file can be used to locally log all messages sent in the CO-sysmsg.log file (as described). This directive also creates the CO-sysmsg.dbg file, useful for system level diagnosis.

Tip

The best way to learn about the configuration items is to experiment with the file, adding directives, and then possibly running CO-sysmsg.exe program in foreground (using the -foreground option.) With this technique, you can quickly target specific messages on the system. To check the configuration file without executing the CO-sysmsg.exe program, use the CO-sysmsg –check option.

Other notes on Log File Monitor specifications

As discussed, each log file has a specifications as discussed, there is auto value available for the DefaultSeverity statement in the log file specification. This is because, unlike the event logs, there is no obvious severity assigned to arbitrary text strings in a file. The operator must define these severities.

One useful technique, to filter out data that is not important, is to make the DefaultSeverity for each log file disabled. The default severity is applied only if no other severity specification gets found. In this way, only those messages that have assigned severities are sent as syslog messages. This reduces the load on the syslog server, especially if there are many hundreds of log file monitors. The administrator can specifically target a key set of messages using this technique.

The LogStatChange directive permits you to monitor for the existence or modification of any file system object. You should not use this directive with any UseFacility or UseSeverity values, or any MatchKeywords. The directive permits the operator to watch for changes to critical file system objects, such as password files, configuration files, or directories.

Note

The special MaxSizeChange directive is associated with log file monitoring. If the log file size jumps to a very large value, rather than sending out many syslog messages, the program sends out a single file size changed syslog message to indicate this condition. This handles file truncation situations or the case where a file gets copied on top of the monitored file.

Additional notes

The BMC Defender FIM Adapter Agent monitors file changes, either file additions, file deletions, or file changes.
The destination host address, configured in the CO-Fmon.cnf file, that is in the same location as the CO-Fmon.exe program, that by default, is the directory C:\installationDirectory\wintools.
The CO-Fmon.cnf file must exist in the directory and specifies a variety of parameters and configuration items, explained in detail in the next section.
The CO-Fmon.exe program supports a variety of command-line options, including a -foreground option, for running the program in the foreground and for checking the configuration file after edits.

This section provides information about the following topics: