CO-sysmsg.cnf file


This topic provides an example of the CO-sysmsg.cnf file, which is the central configuration file of the BMC Defender syslog message service. An administrator or system developer can edit this file to specify the facility and severity codes used by the Event Log monitor.

The CO-sysmsg.cnf file contains detailed documentation about the configuration items. The default configuration that is created by the installation utility is adequate for most environments. However, you can modify values of the configuration items to create a highly customized installation that targets specific types of event log messages. For example, you might want to modify the configuration for the following items:

  • Fine-tune the parameters of the syslog messages
  • Monitor streaming log files in addition to the Windows event logs
  • Change the location of the BMC Defender Server syslog destination

The configuration file is located in the C:\installationDirectory\wintools directory, which corresponds to the BMC Defender syslog message windows service, CO-sysmsg.exe. Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.

You can modify the configuration file a standard text editor or through the remote configuration functions as detailed in the Remotely-configuring-BMC-Defender-Agent-for-Windows section. 

Note

If you manually edit the configuration file, you must stop and restart the CO-sysmsg.exe service.

If you change the configuration file through a remote configuration operation, no restart of the CO-sysmsg.exe program is required.

If the system detects errors while reading the configuration file, they are logged to the CO-sysmsg.log file, in the same directory as the CO-sysmsg.exe program and CO-sysmsg.cnf file.

The following file displays the default configuration that comes with the system.

Default CO-sysmsg.cnf file

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# CO-Sysmsg, BMC Defender Syslog Message Service Configuration File.
# Base Version: 6.1.00 (Standard Install Package)
# Copyright 2008 - 2018, CorreLog, Inc.
# Copyright 2018 - 2020, BMC Software, Inc. http://www.bmc.com
# All rights reserved.

# The following two items are the only items actually required.
# They are configured manually, or by the installation procedure,
# and are not affected by remote configuration operations.
DestinationAddress  127.0.0.1
DestinationPort     514

# Enable processing of Unicode character sets, True / False:
Unicode             True

# Optionally add "AuxAddress" directives below, specifying additional
# IP addresses that will receive messages at the above Destination
# Port. Zero to eight AuxAddress values can be specified. To disable
# an auxiliary address, remove the directive, or set the directive
# value to a non-valid address value.
AuxAddress          -1

# Parameters used for remote configuration of this process via the
# BMC Defender web interface. The user can comment these values out to
# disable remote configuration. The "ListenAuthMode" can take values
# 0=No Auth, 1=Source Address, 2=PassKey, 3=Address and Key. These
# values cannot be changed via remote configuration.
ListenAuthMode      0
ListenPassKey       Default
ListenPort          55514

# Prefix all messages with the computer name.
MessagePrefix       Location: %COMPUTERNAME% -

# Max message size in characters:
MaxMessageSize      1000

# Send this message periodically:
MarkerMessage       Agent Running.
MarkerMinutes       30

# Enable encryption, True / False:
EncryptData         False

#
# Output field delimiter
#
# Valid Input: Single Character or Word.  Default is " - ".
#
# Delimiter value affects all output messages.  Spaces will be added
# before and after the character or word.
#
# This value is appended to each event message field.
# The default is a " - " (dash with space character before and after).
# Valid input value is a single character or single word.
# Values passed here will have spaces added before and after the string or character.
# A value of 'None' will eliminate the output field delimiter entirely.
# A value of 'Space' will cause the delimiter to be one space character only.
#
# OutputDelimiter none
#

#
# Send JSON Output Messages
#
# Valid Input: True or False.  Default is false.
#
# Setting affects all output messages.  Set to true, all output Messages will
# be formatted as JSON with the event message strings and data used to populate
# the fields.
#
# When sending JSON messages, the normal Syslog formatted messages will not be sent.
#
# SendJsonMessages false
#




# The next section provides an optional list of log files, including
# the default facility and severities for messages, and any optional
# keywords that can override these default values.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            User Login Monitor
DefaultFacility     audit
DefaultSeverity     notice

UseSeverity         warning
MatchKeyword        console*login

UseSeverity         info
MatchKeyword        logout

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            User Process Monitor
DefaultFacility     auth
DefaultSeverity     notice

UseSeverity         disabled
MatchKeyword        process*closed

UseSeverity         info
MatchKeyword        process*open

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            Storage Path Monitor
DefaultFacility     audit
DefaultSeverity     info

UseSeverity         error
MatchKeyword        network
MatchKeyword        removable

UseSeverity         warning
MatchKeyword        added

UseSeverity         info
MatchKeyword        removed

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            Disk Space Monitor
DefaultFacility     system
DefaultSeverity     auto

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            Application
DefaultFacility     user
DefaultSeverity     auto

UseSeverity         debug
MatchKeyword        software protection platform

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            System
DefaultFacility     system
DefaultSeverity     auto

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            Security
DefaultFacility     security
DefaultSeverity     disabled

UseSeverity         disabled
MatchKeyword        co-sysmsg.exe

UseSeverity         error
MatchKeyword        failure
MatchKeyword        locked

UseSeverity         warning
MatchKeyword        granted
MatchKeyword        group
MatchKeyword        policy

UseSeverity         notice
MatchKeyword        logoff
MatchKeyword        logon
MatchKeyword        password

UseSeverity         info
MatchKeyword        firewall
MatchKeyword        shutdown
MatchKeyword        time

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            Directory Service
DefaultFacility     local0
DefaultSeverity     auto

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            DNS Server
DefaultFacility     local1
DefaultSeverity     auto

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

EventLog            File Replication Service
DefaultFacility     local2
DefaultSeverity     auto

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

LogFile             %windir%/WindowsUpdate.log
LogName             Windows Update Log:
MaxSizeChange       500000
DefaultFacility     news
DefaultSeverity     disabled

UseSeverity         info
MatchKeyword        start

UseSeverity         notice
MatchKeyword        success
MatchKeyword        found
MatchKeyword        complete

UseSeverity         warning
MatchKeyword        warning

UseSeverity         error
MatchKeyword        error
MatchKeyword        fatal
MatchKeyword        fail
MatchKeyword        critical

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

LogFile             ../apache/logs/error.log
LogName             Apache:
MaxSizeChange       500000
DefaultFacility     network
DefaultSeverity     disabled

UseSeverity         notice
MatchKeyWord        user* not found

UseSeverity         warning
MatchKeyWord        authentication failure
MatchKeyWord        password mismatch

UseSeverity         critical
MatchKeyWord        admin * authentication failure

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Modified: 0000/00/00 00:00:00
# END OF FILE

You can find detailed notes about this file to support advanced applications and requirements in the following topics:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*