Configuration of logging facilities

The configuration file for samhain is named samhainrc by default. Also by default, it is placed in /etc. (Name and location is configurable at compile time). The distribution package comes with a commented sample configuration file. The layout of the configuration file is described in more details in the Section called General in the appendix called List of configuration file options.

Severity levels and classes of log messages

Events (e.g. unauthorized modifications of files monitored by samhain) will generate messages of some severity. These messages will be logged to all logging facilities, whose threshold is equal to, or lower than, the severity of the message.

Severity levels

The following severity levels are defined:

Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. The following events have configurable severities:

Severity levels for events (see the Section called Severity levels>) are set in the EventSeverity and (for login/logout events) the Utmp sections of the configuration file.

In the configuration file, these can be set as follows:

  [EventSeverity]  
  #  
  # these are policies  
  # 
  SeverityReadOnly=crit 
  SeverityLogFiles=crit
  SeverityGrowingLogs=warn 
  SeverityIgnoreNone=crit 
  SeverityIgnoreAll=info 
  #  
  # these are access errors 
  # 
  SeverityFiles=err 
  SeverityDirs=err 
  #  
  # these are obscure file names 
  # and/or invalid UIDs/GIDs (no such user/group) 
  # 
  SeverityNames=info 
  #  
  # This is the section for login/logout monitoring 
  # 
  [Utmp]  
  SeverityLogin=notice
  SeverityLogout=notice 
  # multiple logins by same user 
  SeverityLoginMulti=err