All messages have a severity level (see Section 1.1 ) and a class (see Section 1.2 ), with somewhat orthogonal meaning:
The severity ranks messages with respect to their importance. Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. However, as importance sometimes is a matter of taste, some events have configurable severities (see Section 1 ).
Classes refer to the purpose/category of a message. As such, they should (ideally) be useful to exclude messages that are not interesting in some context (e.g. startup/stop messages may seem useless noise if samhain is run from cron).
Obviously, as severity is a rank, the most natural way to exclude unwanted messages is to set a threshold. On the other hand, as the message class is a category, the most natural way to exclude messages is to list those message classes that you want.
Messages are only logged to a log facility if their severity is at least as high as the threshold of that facility, and their class is one of those wanted (by default: all). Thresholds and class lists can be specified individually for each facility.
Switching on/off | |
---|---|
Most log facilities are off by default, and need to be enabled by setting an appropriate threshold. A threshold of none switches off the respective facility. |
Logging of client messages by the server | |
---|---|
By default, messages received by the server are treated specially, and are always logged to the logfile, and never to mail or syslog. If you don't like that, use the option UseClientSeverity=yes(section [Misc]). |
Thresholds and class lists are set in the
Log section of the configuration file.
For each threshold option
Facility
Severity there is
also a corresponding option
Facility
Class to limit
that facility to messages within a given set of class. The
argument must be a list of valid message classes, separated
by space or comma.
Actually, the
Facility
Severity can take
a list of severities with optional specifiers '*', '!', or
'=', which are interpreted as 'all', 'excluding', and 'only',
respectively. Examples: specifying '*' is equal to specify
'debug'; specifying '!*' is equal to specifying 'none';
'info,!crit' is the range from 'info' to 'err' (excluding
crit and above); and 'info,!=err' is info and above, but
excluding (only) 'err'. This is the same scheme as used by
the Linux syslogd (see man 5 syslogd).
System calls: certain system calls
(execve, utime, unlink, dup (+ dup2), chdir, open, kill, exit
(+ _exit), fork, setuid, setgid, pipe) can be logged (only to
console and syslog). You can determine the set of system
calls to log via the option
LogCalls=
call1, call2, ...
. By
default, this is off (nothing is logged). The priority is
notice, and the class is AUD.
Example:
[Log] # # Threshold for E-mails (none = switched off) # MailSeverity=none # # Threshold for log file # LogSeverity=err LogClass=RUN FIL STAMP # # Threshold for console # PrintSeverity=info # # Threshold for syslog (none = switched off) # SyslogSeverity=none # # Threshold for logging to Prelude (none = switched off) # PreludeSeverity=none # # Threshold for forwarding to the log server # ExportSeverity=crit # # Threshold for invoking an external program # ExternalSeverity=crit # # Threshold for logging to a SQL database # DatabaseSeverity=err # # System calls to log # LogCalls=open, kill