All messages have a severity level (see Section 1.1 ) and a class (see Section 1.2 ), with somewhat orthogonal meaning:
The severity ranks messages with respect to their importance. Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. However, as importance sometimes is a matter of taste, some events have configurable severities (see Section 1 ).
Classes refer to the purpose/category of a message. As such, they should (ideally) be useful to exclude messages that are not interesting in some context (e.g. startup/stop messages may seem useless noise if samhain is run from cron).
Obviously, as severity is a rank, the most natural way to exclude unwanted messages is to set a threshold. On the other hand, as the message class is a category, the most natural way to exclude messages is to list those message classes that you want.
Messages are only logged to a log facility if their severity is at least as high as the threshold of that facility, and their class is one of those wanted (by default: all). Thresholds and class lists can be specified individually for each facility.
![[Tip]](stylesheet-images/tip.png) | Switching on/off |
|---|---|
Most log facilities are off by default, and need to be enabled by setting an appropriate threshold. A threshold of none switches off the respective facility. |
| Logging of client messages by the server |
|---|---|
By default, messages received by the server are treated specially, and are always logged to the logfile, and never to mail or syslog. If you don't like that, use the option UseClientSeverity=yes(section [Misc]). |
Thresholds and class lists are set in the
Log section of the configuration file.
For each threshold option
FacilitySeverity there is
also a corresponding option
FacilityClass to limit
that facility to messages within a given set of class. The
argument must be a list of valid message classes, separated
by space or comma.
Actually, the
FacilitySeverity can take
a list of severities with optional specifiers '*', '!', or
'=', which are interpreted as 'all', 'excluding', and 'only',
respectively. Examples: specifying '*' is equal to specify
'debug'; specifying '!*' is equal to specifying 'none';
'info,!crit' is the range from 'info' to 'err' (excluding
crit and above); and 'info,!=err' is info and above, but
excluding (only) 'err'. This is the same scheme as used by
the Linux syslogd (see man 5 syslogd).
System calls: certain system calls
(execve, utime, unlink, dup (+ dup2), chdir, open, kill, exit
(+ _exit), fork, setuid, setgid, pipe) can be logged (only to
console and syslog). You can determine the set of system
calls to log via the option
LogCalls=
call1, call2, ... . By
default, this is off (nothing is logged). The priority is
notice, and the class is AUD.
Example:
[Log]
#
# Threshold for E-mails (none = switched off)
# MailSeverity=none
#
# Threshold for log file
#
LogSeverity=err
LogClass=RUN FIL STAMP
#
# Threshold for console
#
PrintSeverity=info
#
# Threshold for syslog (none = switched off)
#
SyslogSeverity=none
#
# Threshold for logging to Prelude (none = switched off)
#
PreludeSeverity=none
#
# Threshold for forwarding to the log server
#
ExportSeverity=crit
#
# Threshold for invoking an external program
#
ExternalSeverity=crit
#
# Threshold for logging to a SQL database
#
DatabaseSeverity=err
#
# System calls to log
#
LogCalls=open, kill