The event log mechanism uses a separate PostGreSQL database, for the purpose of making it more difficult to attack. Only stored procedures that read or add logs are available; it isn't possible to erase logs because the script user only has permissions to execute stored procedures. The script user gains the privileges of the creator of the functions (stored procedures) only within the scope of the functions (using the clause "EXTERNAL SECURITY DEFINER;"). The user who created the stored procedures only has permission to insert, select, and create functions, so even if somehow a stored procedure is attacked, or if the script user account is compromised, the attacker won't be able to erase the logs.

Logging Levels. We defined 5 levels:
LOG_NONE = 0
LOG_NORMAL_EVENT = 1
LOG_USER_INTERFACE = 2
LOG_DB_COMMUNICATION_ERROR = 3
LOG_REASSURE_INTERNALS = 4
Additionally, events at the LOG_DB_COMMUNICATION_ERROR or LOG_REASSURE_INTERNALS result in emails being sent to the system administrators.