Appendix D. List of database fields

The database may hold (i) internal message from yule, the log server, and (ii) client messages. The latter result in two rows: one for the client message, and one for the server message recording the arrival of the client message, the originating remote host, and the timestamp. The different message types can be recognized by the log_ref field (see below).

Many database fields record details of files (see man stat ), before (_old) and after (_new) a detected modification. For some items, both numeric (iXXX) and string values are reported, because the translation between both is host-specific. This allows to perform updates of the file signature database(s) on the server side. Other fields are listed below. Basically, most of the fields supply additional information for log_msg if relevant.

1. General

log_index

Unique index of the message (primary key).

log_ref

Zero for internal server messages, NULL for messages received from a client, log_index(client_message) for server timestamp of client message.

log_host

The host where the message originates.

log_time

The timestamp of the message.

log_sev

The severity/priority of the message.

log_msg

The message itself.

log_hash

A checksum over the union of user-defineable fields.

entry_status

NEW for new entries. Used by the Beltane frontend to track the status of a message.

path

Path of a file (whenever a message refers to a file).

userid

UID of the current user if relevant (e.g. if access to a file fails).

grp

Name of a group (for messages reporting problems with a GID, e.g. no entry in /etc/group).

program

Name of the current process (startup message).

subroutine

Name of an internal subroutine (in messages reporting failure of a subroutine).

status

Exit status value of samhain.

hash

Checksum of configuration file (if gpg not used). Startup message.

path_data, hash_data

Path and checksum of data file (if gpg not used). Startup message.

key_uid, key_id

User ID and key id of GPG key used to sign the configuration file. Startup message.

key_uid_data

User ID of GPG key used to sign the data file (different keys for configuration and data file cause program abort). Startup failure message.

peer

Address of a connecting host.

obj

Generic field to hold additional information. Occasionally used.

interface

Name of a library routine/interface (error messages).

dir

Name of a directory, if relevant.

linked_path

In reports about dangling symlinks.

port

Port number (in reports about connections errors).

service

Logging facility or remote service (failure reports).