3. Activating logging facilities and filtering messages

All messages have a severity level (see Section 1.1 ) and a class (see Section 1.2 ), with somewhat orthogonal meaning:

The severity ranks messages with respect to their importance. Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. However, as importance sometimes is a matter of taste, some events have configurable severities (see Section 1 ).

Classes refer to the purpose/category of a message. As such, they should (ideally) be useful to exclude messages that are not interesting in some context (e.g. startup/stop messages may seem useless noise if samhain is run from cron).

Obviously, as severity is a rank, the most natural way to exclude unwanted messages is to set a threshold. On the other hand, as the message class is a category, the most natural way to exclude messages is to list those message classes that you want.

Messages are only logged to a log facility if their severity is at least as high as the threshold of that facility, and their class is one of those wanted (by default: all). Thresholds and class lists can be specified individually for each facility.

[Tip]Switching on/off

Most log facilities are off by default, and need to be enabled by setting an appropriate threshold.

A threshold of none switches off the respective facility.

[Tip]Logging of client messages by the server

By default, messages received by the server are treated specially, and are always logged to the logfile, and never to mail or syslog. If you don't like that, use the option UseClientSeverity=yes(section [Misc]).

Thresholds and class lists are set in the Log section of the configuration file. For each threshold option FacilitySeverity there is also a corresponding option FacilityClass to limit that facility to messages within a given set of class. The argument must be a list of valid message classes, separated by space or comma.

Actually, the FacilitySeverity can take a list of severities with optional specifiers '*', '!', or '=', which are interpreted as 'all', 'excluding', and 'only', respectively. Examples: specifying '*' is equal to specify 'debug'; specifying '!*' is equal to specifying 'none'; 'info,!crit' is the range from 'info' to 'err' (excluding crit and above); and 'info,!=err' is info and above, but excluding (only) 'err'. This is the same scheme as used by the Linux syslogd (see man 5 syslogd).

System calls: certain system calls (execve, utime, unlink, dup (+ dup2), chdir, open, kill, exit (+ _exit), fork, setuid, setgid, pipe) can be logged (only to console and syslog). You can determine the set of system calls to log via the option LogCalls= call1, call2, ... . By default, this is off (nothing is logged). The priority is notice, and the class is AUD.

Example:

	[Log] 
	# 
	# Threshold for E-mails (none = switched off) 
	# MailSeverity=none 
	# 
	# Threshold for log file 
	# 
	LogSeverity=err 
	LogClass=RUN FIL STAMP 
	# 
	# Threshold for console 
	# 
	PrintSeverity=info 
	# 
	# Threshold for syslog (none = switched off) 
	#
	SyslogSeverity=none 
	# 
	# Threshold for logging to Prelude (none = switched off) 
	# 
	PreludeSeverity=none 
	# 
	# Threshold for forwarding to the log server 
	# 
	ExportSeverity=crit 
	# 
	# Threshold for invoking an external program 
	#
	ExternalSeverity=crit 
	# 
	# Threshold for logging to a SQL database 
	# 
	DatabaseSeverity=err 
	# 
	# System calls to log 
	#
	LogCalls=open, kill