2. Available logging facilities

samhain supports the following facilities for logging:

  • e-mailsamhain uses built-in SMTP code, rather than an external mailer program. E-mails are signed to prevent forging.

  • syslog — The system logging utility.

  • console — If running as daemon, /dev/console is used, otherwise stderr. /dev/console can be replaced by other devices, including a FIFO.

  • log file — Entries are signed to provide tamper-resistance.

  • log serversamhain uses TCP/IP with strong authentication and signed and encrypted messages.

  • externalsamhain can be configured to invoke external programs for logging and/or taking some action upon certain conditions.

  • SQL db — Currently samhain supports MySQL, PostgreSQL, Oracle, and unixODBC.

  • Preludesamhain can be compiled with support for the Prelude IDS, i.e. it can be used as a Prelude sensor.

Each of these logging facilities has to be activated by setting an appropriate threshold on the messages to be logged by this facility.

[Note]Note

In addition, some of these facilities require proper settings in the configuration file (see next sections).