Log channels

SAYMON logging separates all messages into channels. Each log channel represents a specific way of handling logs.

Security events can be sent to different channels. Each channel can contain multiple transport modules (mechanisms of log delivery to the appropriate storage system, for example udp or kafka) to deliver messages to multiple systems at the same time.

For example, error messages can be sent to the "faults" channel, that will send print them to the console and send them to an external system (for example, to the syslog server).

{
  "channels": {
    "faults": [
      {
        "type": "console",
        "options": {
          "level": "debug"
        }
      },
      {
        "type": "udp",
        "options": {
          "server": "localhost:514"
        }
      }
    ]
  }
}

System has 4 thematic channels defined:

session - information about opening/closing a user session,
audit - information about changes to the system,
faults - information about errors while accessing the system,
default – channel for messages that don’t fit other channels

By default, the system has a single channel default. This channel prints messages to the server’s console.

All messages sent to an undefined channel will be ignored.