All messages have a severity level (see Section 1.1 ) and a class (see Section 1.2 ), with somewhat orthogonal meaning:
The severity ranks messages with respect to their importance. Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. However, as importance sometimes is a matter of taste, some events have configurable severities (see Section 1 ).
Classes refer to the purpose/category of a message. As such, they should (ideally) be useful to exclude messages that are not interesting in some context (e.g. startup/stop messages may seem useless noise if samhain is run from cron).
Obviously, as severity is a rank, the most natural way to exclude unwanted messages is to set a threshold. On the other hand, as the message class is a category, the most natural way to exclude messages is to list those message classes that you want.
Messages are only logged to a log facility if their severity is at least as high as the threshold of that facility, and their class is one of those wanted (by default: all). Thresholds and class lists can be specified individually for each facility.
| ![[Tip]](stylesheet-images/tip.png) | Switching on/off | 
|---|---|
| Most log facilities are off by default, and need to be enabled by setting an appropriate threshold. A threshold of none switches off the respective facility. | 
| ![[Tip]](stylesheet-images/tip.png) | Logging of client messages by the server | 
|---|---|
| By default, messages received by the server are treated specially, and are always logged to the logfile, and never to mail or syslog. If you don't like that, use the option UseClientSeverity=yes(section [Misc]). | 
Thresholds and class lists are set in the 
      Log section of the configuration file.
      For each threshold option 
      
      FacilitySeverity there is
      also a corresponding option 
      
      FacilityClass to limit
      that facility to messages within a given set of class. The
      argument must be a list of valid message classes, separated
      by space or comma.
Actually, the 
      
      FacilitySeverity can take
      a list of severities with optional specifiers '*', '!', or
      '=', which are interpreted as 'all', 'excluding', and 'only',
      respectively. Examples: specifying '*' is equal to specify
      'debug'; specifying '!*' is equal to specifying 'none';
      'info,!crit' is the range from 'info' to 'err' (excluding
      crit and above); and 'info,!=err' is info and above, but
      excluding (only) 'err'. This is the same scheme as used by
      the Linux syslogd (see man 5 syslogd).
      System calls: certain system calls
      (execve, utime, unlink, dup (+ dup2), chdir, open, kill, exit
      (+ _exit), fork, setuid, setgid, pipe) can be logged (only to
      console and syslog). You can determine the set of system
      calls to log via the option 
      LogCalls=
      call1, call2, ... . By
      default, this is off (nothing is logged). The priority is 
      notice, and the class is AUD.
Example:
	[Log] 
	# 
	# Threshold for E-mails (none = switched off) 
	# MailSeverity=none 
	# 
	# Threshold for log file 
	# 
	LogSeverity=err 
	LogClass=RUN FIL STAMP 
	# 
	# Threshold for console 
	# 
	PrintSeverity=info 
	# 
	# Threshold for syslog (none = switched off) 
	#
	SyslogSeverity=none 
	# 
	# Threshold for logging to Prelude (none = switched off) 
	# 
	PreludeSeverity=none 
	# 
	# Threshold for forwarding to the log server 
	# 
	ExportSeverity=crit 
	# 
	# Threshold for invoking an external program 
	#
	ExternalSeverity=crit 
	# 
	# Threshold for logging to a SQL database 
	# 
	DatabaseSeverity=err 
	# 
	# System calls to log 
	#
	LogCalls=open, kill