Chapter 4. Configuration of logging facilities
Prev   Next

Chapter 4. Configuration of logging facilities

Table of Contents

1. General
1.1. Severity levels
1.2. Classes
1.3. Error message customization
2. Available logging facilities
3. Activating logging facilities and filtering messages
4. E-mail
4.1. E-mail reports and their integrity
5. Log file
5.1. The log file and its integrity
6. Log server
6.1. Details
7. External facilities
8. Console
9. Prelude
9.1. Prelude-specific command-line options
9.2. Registering to a Prelude manager
10. Using samhain with nagios
11. Syslog
12. SQL Database
12.1. Upgrade to samhain 2.3
12.2. Upgrade to samhain 2.4.4
12.3. Upgrade to samhain 2.8.0+
12.4. Upgrade to samhain 4.0
12.5. MySQL configuration details

The configuration file for samhain is named samhainrc by default. Also by default, it is placed in /etc. (Name and location is configurable at compile time). The distribution package comes with a commented sample configuration file. The layout of the configuration file is described in more details in Section 1 .

1. General

Events(e.g. unauthorized modifications of files monitored by samhain ) will generate messages of some severity. These messages will be logged to all logging facilities, whose threshold is equal to, or lower than, the severity of the message.

1.1. Severity levels

The following severity levels are defined:

LevelSignificance
noneKeyword to switch off a looging facility (*).
debugDebugging-level messages.
infoInformational message.
noticeNormal conditions.
warnWarning conditions.
markTimestamps.
errError conditions.
critCritical conditions.
alertProgram startup/normal exit, or fatal error, causing abnormal program termination.
inetIncoming messages from clients (server only).

(*) the keyword 'none' can only be used as a threshold for logging facilities, to indicate that no messages shall be logged via that facility.

Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. The following events have configurable severities: (*) the keyword 'none' can only be used as a threshold for logging facilities, to indicate that no messages shall be logged via that facility.

  • (server only) failure to resolve a client address (section [Misc], option SeverityLookup)

  • policy violations (for monitored files)

  • access errors for files

  • access errors for directories

  • obscure file names (with non-printable characters) and/or invalid UIDs/GIDs (no such user/group)

  • login/logout events (if samhain is configured to monitor them)

Severity levels for events (see Section 1.1 ) are set in the EventSeverity and (for login/logout events) the Utmp sections of the configuration file.

In the configuration file, these can be set as follows:

	  [EventSeverity] 
	  # 
	  # these are policies 
	  # 
	  SeverityReadOnly=crit
	  SeverityLogFiles=crit 
	  SeverityGrowingLogs=warn
	  SeverityIgnoreNone=crit 
	  SeverityIgnoreAll=info 
	  # 
	  # these are access errors 
	  # 
	  SeverityFiles=err 
	  SeverityDirs=err 
	  # 
	  # these are obscure file names 
	  # and/or invalid UIDs/GIDs (no such user/group) 
	  # 
	  SeverityNames=info 
	  # 
	  # This is the section for login/logout monitoring 
	  # 
	  [Utmp]
	  SeverityLogin=notice 
	  SeverityLogout=notice 
	  # multiple logins by same user 
	  SeverityLoginMulti=err

1.2. Classes

Events of related type are grouped into classes. For each logging facility, it is possible to restrict logging to a subset of these classes (see Section 3 ). The available classes are:

ClassSignificance
EVENTEvents to be reported (i.e. policy violations, login/logout).
STARTStartup/stop messages.
STAMPTimestamp (heartbeat) messages.
LOGKEYThe key to verify the signed log file.
ERRORError messages.
OTHEREverything else (e.g. informational messages).
AUDSystem calls (for debugging).

The aforementioned classes represent a new, simplified classification scheme since version 1.8.2. The previous scheme (listed below) will still work, and both can be mixed.

ClassSignificance
AUDSystem calls.
RUNNormal run messages (e.g. startup, exit, ...)
STAMPTimestamps and alike.
FILMessages related to file integrity checking.
TCPMessages from the client/server subsystem.
PANICFatal errors, leading to program termination.
ERRError messages (general).
ENETError messages (network).
EINPUTError messages (input, e.g. configuration file).

1.3. Error message customization

It is possible to customize the initial part (the header of messages via the MessageHeader= "format" directive. Enclosing quotes are only required to protect leading/trailing space, and there is no need to escape quotes within the format string. The following placeholders are recognized:

%S

Severity of the message.

%T

Timestamp of the message.

%C

Class of the message.

%F

Source file where the message originates from.

%L

Line number (in the source file) where the message originates from.

%E

An error code that may provide additional information in case of internal errors.

In the configuration file, these can be set as follows:

	  [Misc] 
	  # 
	  # This is the default without XML 
	  # 
	  MessageHeader="%S %T " 
	  # 
	  # Default for XML-style messages. 
	  # Note that quotes within the format strings are NOT escaped in any way. 
	  # 
	  # MessageHeader="<log sev="%S" tstamp="%T"
Prev   Next
12. Support / Bugs / Problems Home 2. Available logging facilities