Mailing List Archive

Configuring LogFacility
Hi all, i'm new here, please excuse my little english.
I have a centralized syslog server and i've configured clamd to send logs as LogFacility local1.
It's working fine, but this is what i'm obtaining:
files/folders clamd can't access as local1.warning
files infected local1.info

There's a way to set local1.critical or alert for infected files?
It's more simply find a critical/alert message in syslog, and in this way i can "refine" logs and reports.

I'm using clamav on centos 5.5, installed from rpmforge repository: ClamAV 0.97.2/13679
Thanks

--
Forlani M. <m.forlani@email.it>


--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f

Sponsor:
Vuoi arredare casa con stile? MisterCupido.com realizza perfette Riproduzioni d'Opere d'Arte! Scopri subito le nostre migliori proposte in offerta!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=11451&d=27-9
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Configuring LogFacility [ In reply to ]
On 2011-09-27 13:13, Forlani M. wrote:
>
> Hi all, i'm new here, please excuse my little english.
> I have a centralized syslog server and i've configured clamd to send logs as LogFacility local1.
> It's working fine, but this is what i'm obtaining:
> files/folders clamd can't access as local1.warning
> files infected local1.info
>
> There's a way to set local1.critical or alert for infected files?

No you can't configure it from clamd.conf, please open an enhancement request on bugs.clamav.net:

You could write a virusevent script, put VirusEvent /path/to/yourscript in clamd.conf, and in yourscript:
#!/bin/sh
/usr/bin/logger -t clamd -p local1.alert "$CLAM_VIRUSEVENT_FILENAME: $CLAM_VIRUSEVENT_VIRUSNAME FOUND"

> It's more simply find a critical/alert message in syslog, and in this way i can "refine" logs and reports.
>
> I'm using clamav on centos 5.5, installed from rpmforge repository: ClamAV 0.97.2/13679
> Thanks
>

If you're using rsyslogd it should be possible to match on msg content FOUND and send the output to a different place,
or override the loglevel.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Configuring LogFacility [ In reply to ]
Thanks for the answer, yes i'm using rsyslogd, could you put me on docs on how to match on msg?

thanks again


On Tue, 27 Sep 2011 14:09:36 +0300
Török Edwin <edwintorok@gmail.com> wrote:

> On 2011-09-27 13:13, Forlani M. wrote:
> >
> > Hi all, i'm new here, please excuse my little english.
> > I have a centralized syslog server and i've configured clamd to send logs as LogFacility local1.
> > It's working fine, but this is what i'm obtaining:
> > files/folders clamd can't access as local1.warning
> > files infected local1.info
> >
> > There's a way to set local1.critical or alert for infected files?
>
> No you can't configure it from clamd.conf, please open an enhancement request on bugs.clamav.net:
>
> You could write a virusevent script, put VirusEvent /path/to/yourscript in clamd.conf, and in yourscript:
> #!/bin/sh
> /usr/bin/logger -t clamd -p local1.alert "$CLAM_VIRUSEVENT_FILENAME: $CLAM_VIRUSEVENT_VIRUSNAME FOUND"
>
> > It's more simply find a critical/alert message in syslog, and in this way i can "refine" logs and reports.
> >
> > I'm using clamav on centos 5.5, installed from rpmforge repository: ClamAV 0.97.2/13679
> > Thanks
> >
>
> If you're using rsyslogd it should be possible to match on msg content FOUND and send the output to a different place,
> or override the loglevel.
>
> Best regards,
> --Edwin
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
> __________ Informazioni da ESET NOD32 Antivirus, versione del database delle firme digitali 6497 (20110927) __________
>
> Il messaggio _ stato controllato da ESET NOD32 Antivirus.
>
> www.nod32.it
>
>
>


--
Forlani M. <m.forlani@email.it>


--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f

Sponsor:
Vuoi fare un regalo davvero originale? Su MisterCupido.com puoi crearlo tu! Personalizza con le tue foto: quadri, tazze, puzzle, cuscini, peluche...
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid450&d'-9
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Configuring LogFacility [ In reply to ]
On 2011-09-27 15:56, Forlani M. wrote:
> Thanks for the answer, yes i'm using rsyslogd, could you put me on docs on how to match on msg?

man rsyslog.conf, look for "Property based filters", and "Property replacer".
"They allow to filter on any property, like HOSTNAME, syslogtag and msg".

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Configuring LogFacility [ In reply to ]
On 9/27/2011 7:09 AM, Török Edwin wrote:
> On 2011-09-27 13:13, Forlani M. wrote:
>
> No you can't configure it from clamd.conf, please open an enhancement request on bugs.clamav.net:
>
> You could write a virusevent script, put VirusEvent /path/to/yourscript in clamd.conf, and in yourscript:
> #!/bin/sh
> /usr/bin/logger -t clamd -p local1.alert "$CLAM_VIRUSEVENT_FILENAME: $CLAM_VIRUSEVENT_VIRUSNAME FOUND"
>

External events to syslog, now that is a cool idea.

Both for CLUES & CCEE.

Thanks, I'll look into it.
:-)

--
Sincerely,

Nathan Gibbs

Systems Administrator
Christ Media
http://www.cmpublishers.com