Samhain | ||
---|---|---|
<<< Previous | Configuration of logging facilities | Next >>> |
All messages have a severity level (see the Section called Severity levels>) and a class (see the Section called Classes>), with somewhat orthogonal meaning:
The severity ranks messages with respect to their importance. Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. However, as importance sometimes is a matter of taste, some events have configurable severities (see the Section called Severity levels and classes of log messages>).
Classes refer to the purpose/category of a message. As such, they should (ideally) be useful to exclude messages that are not interesting in some context (e.g. startup/stop messages may seem useless noise if samhain is run from cron).
Obviously, as severity is a rank, the most natural way to exclude unwanted messages is to set a threshold. On the other hand, as the message class is a category, the most natural way to exclude messages is to list those message classes that you want.
Messages are only logged to a log facility if their severity is at least as high as the threshold of that facility, and their class is one of those wanted (by default: all). Thresholds and class lists can be specified individually for each facility.
![]() | CAVEAT |
---|---|
Most log facilities are off by default. |
![]() | TIP |
---|---|
A threshold of none switches off the respective facility. |
![]() | TIP (server only) |
---|---|
By default, messages received by the server are treated specially, and are always logged to the logfile, and never to mail or syslog. If you don't like that, use the option UseClientSeverity=yes (section [Misc]). |
Thresholds and class lists are set in the Log section of the configuration file. For each threshold option FacilitySeverity there is also a corresponding option FacilityClass to limit that facility to messages within a given set of class. The argument must be a list of valid message classes, separated by space or comma.
System calls: certain system calls (execve, utime, unlink, dup (+ dup2), chdir, open, kill, exit (+ _exit), fork, setuid, setgid, pipe) can be logged (only to console and syslog). You can determine the set of system calls to log via the option LogCalls=call1, call2, .... By default, this is off (nothing is logged). The priority is notice, and the class is AUD.
Example:
[Log] # # Threshold for E-mails (none = switched off) # MailSeverity=none # # Threshold for log file # LogSeverity=err LogClass=RUN FIL STAMP # # Threshold for console # PrintSeverity=info # # Threshold for syslog (none = switched off) # SyslogSeverity=none # # Threshold for logging to Prelude (none = switched off) # PreludeSeverity=none # # Threshold for forwarding to the log server # ExportSeverity=crit # # Threshold for invoking an external program # ExternalSeverity=crit # # Threshold for logging to a SQL database # DatabaseSeverity=err # # System calls to log # LogCalls=open, kill |
<<< Previous | Home | Next >>> |
Overview of logging facilities | Up |