All messages have a severity level (see Section 4.1.1>) and a class (see Section 4.1.2>), with somewhat orthogonal meaning:
The severity ranks messages with respect to their importance. Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. However, as importance sometimes is a matter of taste, some events have configurable severities (see Section 4.1>).
Classes refer to the purpose/category of a message. As such, they should (ideally) be useful to exclude messages that are not interesting in some context (e.g. startup/stop messages may seem useless noise if samhain is run from cron).
Obviously, as severity is a rank, the most natural way to exclude unwanted messages is to set a threshold. On the other hand, as the message class is a category, the most natural way to exclude messages is to list those message classes that you want.
Messages are only logged to a log facility if their severity is at least as high as the threshold of that facility, and their class is one of those wanted (by default: all). Thresholds and class lists can be specified individually for each facility.
|  | CAVEAT | 
|---|---|
| Most log facilities are off by default. | 
|  | TIP | 
|---|---|
| A threshold of none switches off the respective facility. | 
|  | TIP (server only) | 
|---|---|
| By default, messages received by the server are treated specially, and are always logged to the logfile, and never to mail or syslog. If you don't like that, use the option UseClientSeverity=yes (section [Misc]). | 
Thresholds and class lists are set in the Log section of the configuration file. For each threshold option FacilitySeverity there is also a corresponding option FacilityClass to limit that facility to messages within a given set of class. The argument must be a list of valid message classes, separated by space or comma.
Actually, the FacilitySeverity can take a list of severities with optional specifiers '*', '!', or '=', which are interpreted as 'all', 'excluding', and 'only', respectively. Examples: specifying '*' is equal to specify 'debug'; specifying '!*' is equal to specifying 'none'; 'info,!crit' is the range from 'info' to 'err' (excluding crit and above); and 'info,!=err' is info and above, but excluding (only) 'err'. This is the same scheme as used by the Linux syslogd (see man 5 syslogd).
System calls: certain system calls (execve, utime, unlink, dup (+ dup2), chdir, open, kill, exit (+ _exit), fork, setuid, setgid, pipe) can be logged (only to console and syslog). You can determine the set of system calls to log via the option LogCalls=call1, call2, .... By default, this is off (nothing is logged). The priority is notice, and the class is AUD.
Example:
[Log] # # Threshold for E-mails (none = switched off) # MailSeverity=none # # Threshold for log file # LogSeverity=err LogClass=RUN FIL STAMP # # Threshold for console # PrintSeverity=info # # Threshold for syslog (none = switched off) # SyslogSeverity=none # # Threshold for logging to Prelude (none = switched off) # PreludeSeverity=none # # Threshold for forwarding to the log server # ExportSeverity=crit # # Threshold for invoking an external program # ExternalSeverity=crit # # Threshold for logging to a SQL database # DatabaseSeverity=err # # System calls to log # LogCalls=open, kill