LATEST VERSION: 1.4 - RELEASE NOTES
ClamAV Add-on for PCF v1.4

Monitoring ClamAV Logs

Page last updated:

This topic contains sample logs emitted by ClamAV.

These samples can be used to configure a Security Information and Event Management (SIEM) system to verify regular activity and generate alerts for virus detections or outdated virus signatures.

ClamAV Logs

There are three distinct ClamAV apps that run on each VM, freshclam, clamd, and clamdscan. These apps work together to detect viruses and protect the VM.

Each app writes its own log file. You need to monitor each of these files to know if ClamAV Addon for PCF is working correctly and if viruses have been found.

Pivotal recommends that you enable syslog forwarding so that the messages from each of the three log files is aggregated into the syslog file on the remote syslog server. Use your preferred monitoring and alerting tool to review the Clamav log messages.

For an example of how ClamAV messages appear in the syslog file, see Syslog Format below.

For information on each app, see freshclam, clamd, and clamdscan below.

freshclam App

The freshclam app updates the database that stores the known virus signatures.

The messages output by the freshclam app, indicate when freshclam checks for updates, download progress, and downloaded signature version.

The log file for the freshclam app is /var/vcap/sys/log/clamav/freshclam.log.

clamd App

The Clam AntiVirus Daemon (clamd) listens for incoming connections on Unix or the TCP socket. clamd works with clamdscan to scan files or directories. The clamd job uses the database of virus signatures that the freshclam job updates.

The messages output by the clamd app show files where viruses are found, the name of the virus signature, and any action taken, such as moving, copying, or deleting.

The log file for the clamd app is /var/vcap/sys/log/clamav/clamd.log.

clamdscan App

The clamdscan app scans files and directories for viruses using the clamd daemon.

The messages output by the clamdscan app show when a clamdscan has been initiated and write a scan summary on completion.

The log file for the clamd app is /var/vcap/sys/log/clamav/clamdscan.log.

Log Messages

The following tables lists common messages that you see when ClamAV apps write to log files:

Message App Meanings Healthy/Unhealthy?
Check for Updates freshclam States that the freshclam app is checking the configured remote mirror for an update to the local virus signature database. Healthy
Update the Virus Database freshclam States that the virus database is being updated. Healthy
Virus Database Is Up-to-Date freshclam States that the virus database is up-to-date. Healthy
Virus Database is Older Than 7 Days freshclam States that the virus database is stale. Based on configuration, freshclam checks hourly or daily. Unhealthy
Process Terminated freshclam freshclam should only terminate during a deployment. Unhealthy
(Will be triggered by deployments)
Start clamd clamd States that a clamd daemon is starting. Healthy
Check for Updated Virus Signatures clamd clamd checks if freshclam has updated the local virus signature database. Healthy
Virus Detected clamd Gives the name and location of the virus that was found and the virus signature that it matches. Unhealthy
Virus Removed clamd Gives the name of the virus file that was found and states that the file was deleted. Unhealthy
Virus Moved clamd Gives the name of the virus file found and where it was moved to.
The firus file is deleted from original location.
Unhealthy
Virus Copied clamd Gives the name of the virus file found and where it was copied to.
The virus file remains at original location.
Unhealthy
Process Terminated clamd Both clamd and freshclam should always be running. If the process was terminated, meaning the clamd daemon has stopped, then this error appears and can indicate a problem. Neither on-access scanning nor scheduled scanning is possible if the process state is terminated. Unhealthy
(Will be triggered by deployments)
Start Scheduled Scan clamdscan States when the scan starts. Use the time stamp on the message to determine this. Healthy
Scan Finished clamdscan Gives time elapsed for scan and how many infected files were found. Healthy

freshclam Log Messages

The freshclam job on each VM is responsible for updating the database that stores the known virus signatures.

freshclam log entries pertain to whether or not the virus-signature database is up-to-date.

  • Check for Updates

    ClamAV update process started at Wed Nov 28 15:58:23 2018
    

  • Update the Virus Database

    Downloading main.cvd [100%]
    main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    Downloading daily.cvd [100%]
    daily.cvd updated (version: 25135, sigs: 2155329, f-level: 63, builder: neo)
    Downloading bytecode.cvd [100%]
    bytecode.cvd updated (version: 327, sigs: 91, f-level: 63, builder: neo)
    Database updated (6721669 signatures) from pivotal-clamav-mirror.s3.amazonaws.com (IP: 52.216.169.19)
    

  • Virus Database Is Up-to-Date

    main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    daily.cvd is up to date (version: 25135, sigs: 2155329, f-level: 63, builder: neo)
    bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
    

  • Virus Database is Older Than 7 Days

    [LibClamAV] **************************************************
    [LibClamAV] ***  The virus database is older than 7 days!  ***
    [LibClamAV] ***   Please update it as soon as possible.    ***
    [LibClamAV] **************************************************
    

  • Process Terminated

    Update process terminated
    

clamd Log Messages

clamd is the anti-virus scanner that searches for viruses. The clamd job uses the database of virus signatures that the freshclam job updates.

  • Start clamd

    Wed Nov 28 15:58:47 2018 -> +++ Started at Wed Nov 28 15:58:47 2018
    Wed Nov 28 15:59:02 2018 -> Self checking every 600 seconds.
    

  • Check for Updated Virus Signatures

    SelfCheck: Database status OK.
    
    SelfCheck: Database modification detected. Forcing reload
    
    No stats for Database check - forcing reload
    

  • Virus Detected

    /var/vcap/data/test.txt: Eicar-Test-Signature FOUND
    

  • Virus Removed

    /var/vcap/data/test.txt: Removed.
    

  • Virus Moved

    /var/vcap/data/test.txt: moved to '/var/vcap/data/clamav/found/test.txt.001'
    

  • Virus Copied

    /var/vcap/data/test.txt: copied to '/var/vcap/data/clamav/found/test.txt.001'
    

  • Process Terminated

    Wed Nov 28 19:25:23 2018 -> Pid file removed.
    Wed Nov 28 19:25:23 2018 -> --- Stopped at Wed Nov 28 19:25:23 2018
    Wed Nov 28 19:25:23 2018 -> Socket file removed.
    

clamdscan Log Messages

clamdscan is searches files and directories for viruses.

  • Start Scheduled Scan

    This is not provided in ClamAV Add-on for PCF v1.4.38 and earlier.

    Starting scheduled scan
    
  • Scan Finished

    This is not provided in ClamAV Add-on for PCF v1.4.38 and earlier.

    Sample:

    ----------- SCAN SUMMARY -----------
    Infected files: 1
    Time: 346.887 sec (5 m 46 s)
    

ClamAV Log Format

The logs that ClamAV itself outputs do not adhere to a specific structure. However, the syslog forwarder component, which is on all VM’s, encapsulates ClamAV’s log and prepends the necessary headers so that the resulting logs adhere to the syslog format.

With syslog-forwarder, the syslog format is:

    <PRI> \
    VERSION \
    TIMESTAMP \
    HOST \
    APP-NAME \
    PROC-ID \
    MSG-ID \
    [instance@47450 \
    director="DIRECTOR" \
    deployment="DEPLOYMENT" \
    group="INSTANCE-GROUP" \
    az="AVAILABILITY-ZONE" \
    id="ID"] \
    MESSAGE \

Where:

  • APP-NAME is freshclam, clamdscan, or clamd.
  • <PRI> is <14>.
  • MESSAGE is the output from a ClamAV app. Examples of the output messages are shown Log Messages above.

For example, the first two lines of the Scan Finished message appear in the syslog file as follows:

<14> \
1 \
2018-12-07T21:48:02.119539Z \
10.0.0.3 \
clamav \
rs2 \
- \
[instance@12345 \
director="" \
deployment="clamav-trusty-aaaa-80" \
group="clamav" \
az="z1" \
id="abcdef01-8901-42a5-ad58-8b4c1a2de881"] \
----------- SCAN SUMMARY -----------
<14> \
1 \
2018-12-07T21:48:02.11954Z \
10.0.0.3 \
clamav \
rs2 \
- \
[instance@12345 \
director="" \
deployment="clamav-trusty-rlee-80" \
group="clamav" \
az="z1" \
id="abcdef01-8901-42a5-ad58-8b4c1a2de881"] \
Infected files: 0

For more information, see Format in the syslog-release GitHub repository.

Create a pull request or raise an issue on the source for this page in GitHub