Detecting C-L-A-M AV Logs in Ubuntu 11.04+

Version 1

    The default connector setup for the Linux C-L-A-M AV monitors the /var/log/messages file.  Ubuntu got rid of the messages file in Ubuntu Version 11.04 and replaced it with /var/log/syslog. 

     

    http://askubuntu.com/questions/51265/where-is-var-log-messages

     

    Ubuntu /var/log/syslog is the Windows equivalent to System Log.  It is NOT a Syslogger utility like Kiwi.

     

    For my deployments, I installed the following applications using the command:

     

    Sudo apt-get install clamav clamav-daemon clamav-freshclam

     

    Go through your process to install the LEM client on the Ubuntu server.

     

    Once your device is imported into the LEM Console you will need to change the default LEM clamav and freshclam connector to /var/log/syslog

     

    LEMConnectorConfig.jpg

     

    Next, make the following changes to the conf files of the following applications.

     

    /etc/clamav/Freshclam.conf

    /etc/clamav/Clamd.conf

      

    Within each of these files you will need to search for the options:

     

    (Default)

    LogSyslog false

      

    (Change it to)

    LogSyslog true

     

    ==========

    (Default)

    LogVerbose false

     

    (Change it to)

    LogVerbose true

     

    Freshclam is a daemon and will update your ClamAV definitions for you.  It will add events into syslog for import using the LEM connector. You can run reports to see when the latest version of definitions were installed.  Also, the default freshclam.conf setting is to check once per hour. You may want to modify the freshclam.conf file to update once per day:

     

    (Default)

    Checks 24

     

    (Change it to)

    Checks 1

     

    Clamdscan is a daemon process and uses the clamav account to perform its scans.  It does a great job of logging to the syslog and this data gets automatically imported with the built-in C-L-A-M-A-V LEM connector.  You can also configure applications like Moodle to utilize the **** daemon for file uploads and detections get logged into LEM.  However; Clamdscan does not have the permissions to perform scheduled scans on all home directories and provide detailed logging information to LEM.  You may potentially receive errors like Permission denied or not be able to log the path to the detected malware when using the fdpass switch.  I had to use clamscan to perform home directory scans.

     

    Clamscan command problem:  It can scan to a report file or a separate log file but it is not in a format easily imported into LEM.  You have to output the VIRUS FOUND information into a log file and use the logger command to add the event into the syslog for import into LEM. 

     

    See my example script below:


    clamscan --stdout --no-summary --log=/var/log/clamscan.log -i -r /home | logger -t "clamd[5286]"

     

    The resulting virus detection event is logged into the Syslog, Imported into LEM, and the resulting event looks like this:


    LEM-Event.jpg

     

    You may want to modify the clamscan script to move the infected file to a quarantine directory.  See here for more clamscan options:

     

    security - How do I scan for viruses with ClamAV? - Ask Ubuntu