samhain supports the following facilities for logging:
e-mail — samhain uses built-in SMTP code, rather than an external mailer program. E-mails are signed to prevent forging.
syslog — The system logging utility.
console — If running as
used, otherwise stderr.
/dev/console can be
replaced by other devices, including a FIFO.
log file — Entries are signed to provide tamper-resistance.
log server — samhain uses TCP/IP with strong authentication and signed and encrypted messages.
external — samhain can be configured to invoke external programs for logging and/or taking some action upon certain conditions.
SQL db — Currently samhain supports MySQL, PostgreSQL, Oracle, and unixODBC.
Prelude — samhain can be compiled with support for the Prelude IDS, i.e. it can be used as a Prelude sensor.
Each of these logging facilities has to be activated by setting an appropriate threshold on the messages to be logged by this facility.
In addition, some of these facilities require proper settings in the configuration file (see next sections).