CO-sysmsg.cnf file
This topic provides an example of the CO-sysmsg.cnf file, which is the central configuration file of the BMC Defender syslog message service. An administrator or system developer can edit this file to specify the facility and severity codes used by the Event Log monitor.
The CO-sysmsg.cnf file contains detailed documentation about the configuration items. The default configuration that is created by the installation utility is adequate for most environments. However, you can modify values of the configuration items to create a highly customized installation that targets specific types of event log messages. For example, you might want to modify the configuration for the following items:
- Fine-tune the parameters of the syslog messages
- Monitor streaming log files in addition to the Windows event logs
- Change the location of the BMC Defender Server syslog destination
The configuration file is located in the C:\installationDirectory\wintools directory, which corresponds to the BMC Defender syslog message windows service, CO-sysmsg.exe. Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.
You can modify the configuration file a standard text editor or through the remote configuration functions as detailed in the Remotely-configuring-BMC-Defender-Agent-for-Windows section.
If the system detects errors while reading the configuration file, they are logged to the CO-sysmsg.log file, in the same directory as the CO-sysmsg.exe program and CO-sysmsg.cnf file.
The following file displays the default configuration that comes with the system.
An example of a CO-sysmsg.cnf file follows:
# CO-Sysmsg, BMC Defender Syslog Message Service Configuration File.
# Base Version: 6.2.01 (Standard Install Package)
# Agent Build Time: Thu Jun 27 20:05:13 2024 - V6.2.01-SPE2410
# Copyright (c) 2008 - 2024 BMC Software, Inc. http://www.bmc.com
# The following two items are the only items actually required.
# They are configured manually, or by the installation procedure,
# and are not affected by remote configuration operations.
DestinationAddress 127.0.0.1
DestinationPort 514
# Enable processing of Unicode character sets, True / False:
Unicode True
# Optionally add "AuxAddress" directives below, specifying additional
# IP addresses that will receive messages at the above Destination
# Port. Zero to eight AuxAddress values can be specified. To disable
# an auxiliary address, remove the directive, or set the directive
# value to a non-valid address value.
AuxAddress -1
# Parameters used for remote configuration of this process via the
# BMC Defender web interface. The user can comment these values out to
# disable remote configuration. The "ListenAuthMode" can take values
# 0=No Auth, 1=Source Address, 2=PassKey, 3=Address and Key. These
# values cannot be changed via remote configuration.
ListenAuthMode 0
ListenPassKey Default
ListenPort 55514
# Prefix all messages with the computer name.
MessagePrefix Location: %COMPUTERNAME% -
# Max message size in characters:
MaxMessageSize 1000
# Send this message periodically:
MarkerMessage Agent Running.
MarkerMinutes 30
# Enable encryption, True / False:
EncryptData False
#
# Output field delimiter
#
# Valid Input: Single Character or Word. Default is " - ".
#
# Delimiter value affects all output messages. Spaces will be added
# before and after the character or word.
#
# This value is appended to each event message field.
# The default is a " - " (dash with space character before and after).
# Valid input value is a single character or single word.
# Values passed here will have spaces added before and after the string or character.
# A value of 'None' will eliminate the output field delimiter entirely.
# A value of 'Space' will cause the delimiter to be one space character only.
#
# OutputDelimiter none
#
#
# Send JSON Output Messages
#
# Valid Input: True or False. Default is false.
#
# Setting affects all output messages. Set to true, all output Messages will
# be formatted as JSON with the event message strings and data used to populate
# the fields.
#
# When sending JSON messages, the normal Syslog formatted messages will not be sent.
#
# SendJsonMessages false
#
#
# Send Complete Windows Event Message Text
#
# Valid Input: True or False. Default is false.
#
# By default the agent will truncate event record text strings and send a summary.
# The extended text strings are detailed and verbose.
#
# CompleteEventText False
#
#
# The next section provides an optional list of log files, including
# the default facility and severities for messages, and any optional
# keywords that can override these default values.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog User Login Monitor
DefaultFacility audit
DefaultSeverity notice
UseSeverity warning
MatchKeyword console*login
UseSeverity info
MatchKeyword logout
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog User Process Monitor
DefaultFacility auth
DefaultSeverity notice
UseSeverity disabled
MatchKeyword process*closed
UseSeverity info
MatchKeyword process*open
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog Storage Path Monitor
DefaultFacility audit
DefaultSeverity info
UseSeverity error
MatchKeyword network
MatchKeyword removable
UseSeverity warning
MatchKeyword added
UseSeverity info
MatchKeyword removed
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog Disk Space Monitor
DefaultFacility system
DefaultSeverity auto
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog Application
DefaultFacility user
DefaultSeverity auto
UseSeverity debug
MatchKeyword software protection platform
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog System
DefaultFacility system
DefaultSeverity auto
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog Security
DefaultFacility security
DefaultSeverity disabled
UseSeverity disabled
MatchKeyword co-sysmsg.exe
UseSeverity error
MatchKeyword failure
MatchKeyword locked
UseSeverity warning
MatchKeyword granted
MatchKeyword group
MatchKeyword policy
UseSeverity notice
MatchKeyword logoff
MatchKeyword logon
MatchKeyword password
UseSeverity info
MatchKeyword firewall
MatchKeyword shutdown
MatchKeyword time
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog Directory Service
DefaultFacility local0
DefaultSeverity auto
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog DNS Server
DefaultFacility local1
DefaultSeverity auto
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
EventLog File Replication Service
DefaultFacility local2
DefaultSeverity auto
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LogFile %windir%/WindowsUpdate.log
LogName Windows Update Log:
MaxSizeChange 500000
DefaultFacility news
DefaultSeverity disabled
UseSeverity info
MatchKeyword start
UseSeverity notice
MatchKeyword success
MatchKeyword found
MatchKeyword complete
UseSeverity warning
MatchKeyword warning
UseSeverity error
MatchKeyword error
MatchKeyword fatal
MatchKeyword fail
MatchKeyword critical
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LogFile ../apache/logs/error.log
LogName Apache:
MaxSizeChange 500000
DefaultFacility network
DefaultSeverity disabled
UseSeverity notice
MatchKeyWord user* not found
UseSeverity warning
MatchKeyWord authentication failure
MatchKeyWord password mismatch
UseSeverity critical
MatchKeyWord admin * authentication failure
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Modified: 0000/00/00 00:00:00
# END OF FILE
You can find detailed notes about this file to support advanced applications and requirements in the following topics: