Samhain | ||
---|---|---|
<<< Previous | Next >>> |
The configuration file for samhain is named samhainrc by default. Also by default, it is placed in /etc. (Name and location is configurable at compile time). The distribution package comes with a commented sample configuration file. The layout of the configuration file is described in more details in the Section called General in the appendix called List of configuration file options.
Events (e.g. unauthorized modifications of files monitored by samhain) will generate messages of some severity. These messages will be logged to all logging facilities, whose threshold is equal to, or lower than, the severity of the message.
The following severity levels are defined:
Level | Significance |
---|---|
none | Not logged. |
debug | Debugging-level messages. |
info | Informational message. |
notice | Normal conditions. |
warn | Warning conditions. |
mark | Timestamps. |
err | Error conditions. |
crit | Critical conditions. |
alert | Program startup/normal exit, or fatal error, causing abnormal program termination. |
inet | Incoming messages from clients (server only). |
Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. The following events have configurable severities:
(server only) failure to resolve a client address (section [Misc], option SeverityLookup)
policy violations (for monitored files)
access errors for files
access errors for directories
obscure file names (with non-printable characters) and/or invalid UIDs/GIDs (no such user/group)
login/logout events (if samhain is configured to monitor them)
Severity levels for events (see the Section called Severity levels>) are set in the EventSeverity and (for login/logout events) the Utmp sections of the configuration file.
In the configuration file, these can be set as follows:
[EventSeverity] # # these are policies # SeverityReadOnly=crit SeverityLogFiles=crit SeverityGrowingLogs=warn SeverityIgnoreNone=crit SeverityIgnoreAll=info # # these are access errors # SeverityFiles=err SeverityDirs=err # # these are obscure file names # and/or invalid UIDs/GIDs (no such user/group) # SeverityNames=info # # This is the section for login/logout monitoring # [Utmp] SeverityLogin=notice SeverityLogout=notice # multiple logins by same user SeverityLoginMulti=err |
Events of related type are grouped into classes. For each logging facility, it is possible to restrict logging to a subset of these classes (see the Section called Activating logging facilities and filtering messages>). The available classes are:
Class | Significance |
---|---|
EVENT | Events to be reported (i.e. policy violations, login/logout). |
START | Startup/stop messages. |
STAMP | Timestamp (heartbeat) messages. |
LOGKEY | The key to verify the signed log file. |
ERROR | Error messages. |
OTHER | Everything else (e.g. informational messages). |
AUD | System calls (for debugging). |
The aforementioned classes represent a new, simplified classification scheme since version 1.8.2. The previous scheme (listed below) will still work, and both can be mixed.
Class | Significance |
---|---|
AUD | System calls. |
RUN | Normal run messages (e.g. startup, exit, ...) |
STAMP | Timestamps and alike. |
FIL | Messages related to file integrity checking. |
TCP | Messages from the client/server subsystem. |
PANIC | Fatal errors, leading to program termination. |
ERR | Error messages (general). |
ENET | Error messages (network). |
EINPUT | Error messages (input, e.g. configuration file). |
<<< Previous | Home | Next >>> |
Support / Bugs / Problems | Overview of logging facilities |