Chapter 4. Configuration of logging facilities

The configuration file for samhain is named samhainrc by default. Also by default, it is placed in /etc. (Name and location is configurable at compile time). The distribution package comes with a commented sample configuration file. The layout of the configuration file is described in more details in Section 1 .

1. General

Events(e.g. unauthorized modifications of files monitored by samhain ) will generate messages of some severity. These messages will be logged to all logging facilities, whose threshold is equal to, or lower than, the severity of the message.

1.1. Severity levels

The following severity levels are defined:

noneKeyword to switch off a looging facility (*).
debugDebugging-level messages.
infoInformational message.
noticeNormal conditions.
warnWarning conditions.
errError conditions.
critCritical conditions.
alertProgram startup/normal exit, or fatal error, causing abnormal program termination.
inetIncoming messages from clients (server only).

(*) the keyword 'none' can only be used as a threshold for logging facilities, to indicate that no messages shall be logged via that facility.

Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. The following events have configurable severities: (*) the keyword 'none' can only be used as a threshold for logging facilities, to indicate that no messages shall be logged via that facility.

  • (server only) failure to resolve a client address (section [Misc], option SeverityLookup)

  • policy violations (for monitored files)

  • access errors for files

  • access errors for directories

  • obscure file names (with non-printable characters) and/or invalid UIDs/GIDs (no such user/group)

  • login/logout events (if samhain is configured to monitor them)

Severity levels for events (see Section 1.1 ) are set in the EventSeverity and (for login/logout events) the Utmp sections of the configuration file.

In the configuration file, these can be set as follows:

	  # these are policies 
	  # these are access errors 
	  # these are obscure file names 
	  # and/or invalid UIDs/GIDs (no such user/group) 
	  # This is the section for login/logout monitoring 
	  # multiple logins by same user 

1.2. Classes

Events of related type are grouped into classes. For each logging facility, it is possible to restrict logging to a subset of these classes (see Section 3 ). The available classes are:

EVENTEvents to be reported (i.e. policy violations, login/logout).
STARTStartup/stop messages.
STAMPTimestamp (heartbeat) messages.
LOGKEYThe key to verify the signed log file.
ERRORError messages.
OTHEREverything else (e.g. informational messages).
AUDSystem calls (for debugging).

The aforementioned classes represent a new, simplified classification scheme since version 1.8.2. The previous scheme (listed below) will still work, and both can be mixed.

AUDSystem calls.
RUNNormal run messages (e.g. startup, exit, ...)
STAMPTimestamps and alike.
FILMessages related to file integrity checking.
TCPMessages from the client/server subsystem.
PANICFatal errors, leading to program termination.
ERRError messages (general).
ENETError messages (network).
EINPUTError messages (input, e.g. configuration file).

1.3. Error message customization

It is possible to customize the initial part (the header of messages via the MessageHeader= "format" directive. Enclosing quotes are only required to protect leading/trailing space, and there is no need to escape quotes within the format string. The following placeholders are recognized:


Severity of the message.


Timestamp of the message.


Class of the message.


Source file where the message originates from.


Line number (in the source file) where the message originates from.


An error code that may provide additional information in case of internal errors.

In the configuration file, these can be set as follows:

	  # This is the default without XML 
	  MessageHeader="%S %T " 
	  # Default for XML-style messages. 
	  # Note that quotes within the format strings are NOT escaped in any way. 
	  # MessageHeader="<log sev="%S" tstamp="%T"