Monitoring Anti-Virus Logs

Note: Pivotal Platform is now part of VMware Tanzu. In v2.2 and later, Pivotal Anti-Virus is named Anti-Virus for VMware Tanzu.

Page last updated:

This topic contains sample logs emitted by Anti-Virus for VMware Tanzu.

You can use these samples to configure a Security Information and Event Management (SIEM) system to verify regular activity and generate alerts for virus detections or outdated virus signatures.

Anti-Virus Logs

There are four distinct Anti-Virus for VMware Tanzu apps that run on each VM: freshclam, go-clam-tls, clamd, and clamdscan. The freshclam and go-clam-tls apps are mutually exclusive, but the other apps work together to detect viruses and protect the VM.

Each app writes its own log file. You need to monitor each of these files to know if Anti-Virus is working correctly and if viruses have been found.

VMware recommends that you enable syslog forwarding so that the messages from each of the three log files is aggregated into the syslog file on the remote syslog server. Then you can use your preferred monitoring and alerting tool to review the Anti-Virus log entries.

For an example of how Anti-Virus messages appear in the syslog file, see Syslog Format below.

For information about each app, see freshclam, go-clam-tls, clamd, and clamdscan below.

freshclam App

The freshclam app updates the database that stores the known virus signatures.

The messages output by the freshclam app indicate when freshclam checks for updates, what the download progress is, and the downloaded signature version.

The log file for the freshclam app is /var/vcap/sys/log/antivirus/freshclam.log.

go-clam-tls App

The go-clam-tls app performs the same role as the freshclam app for environments that use Anti-Virus Mirror for VMware Tanzu with Anti-Virus for VMware Tanzu. go-clam-tls uses mutual TLS (mTLS) and permits changing the port used for database updates.

The messages output by the go-clam-tls app indicate when go-clam-tls checks for updates, what the download progress is, and the downloaded signature version.

The log file for the go-clam-tls app is /var/vcap/sys/log/antivirus/go-clam-tls.log.

clamd App

The Clam AntiVirus Daemon (clamd) listens for incoming connections on Unix or the TCP socket. clamd works with clamdscan to scan files or directories. The clamd job uses the database of virus signatures that the freshclam job updates.

The messages output by the clamd app show files where viruses are found, the name of the virus signature, and any action taken (such as moving, copying, or deleting).

The log file for the clamd app is /var/vcap/sys/log/antivirus/antivirus.stdout.log.

clamdscan App

The clamdscan app scans files and directories for viruses using the clamd daemon.

The messages output by the clamdscan app show when a clamdscan is initiated and writes a scan summary on completion.

The log file for the clamd app is /var/vcap/sys/log/antivirus/clamdscan.log.

Log Messages

The following tables lists common messages that you see when ClamAV apps write to log files:

Message App Meanings Healthy/Unhealthy?
Check for Updates freshclam States that the freshclam app is checking the configured remote mirror for an update to the local virus signature database. Healthy
Update the Virus Database freshclam States that the virus database is being updated. Healthy
Cannot Download CLD Database Files freshclam States that freshclam could not download the latest uncompressed databases. These database files include the main.cld, daily.cld, and bytecode.cld files. They are optional for ClamAV to run. Healthy
Virus Database Is Up-to-Date freshclam States that the virus database is up-to-date. Healthy
Virus Database is Older Than 7 Days freshclam States that the virus database is stale. Based on configuration, freshclam checks hourly or daily. Unhealthy
Process Terminated freshclam freshclam should only terminate during a deployment. Unhealthy
(Will be triggered by deployments)
Check for Updates go-clam-tls States that the go-clam-tls app is checking the configured remote mirror for an update to the local virus signature database. Healthy
Update the Virus Database go-clam-tls States that the virus database is being updated. Healthy
Using CLD Database Files go-clam-tls States that go-clam-tls could not find .cvd files and is failing over to .cld files. Healthy
Virus Database Is Up-to-Date go-clam-tls States that the virus database is up-to-date. Healthy
Virus Database is Older Than 7 Days go-clam-tls States that the virus database is stale. Based on configuration, go-clam-tls checks hourly or daily. Unhealthy
Failed to Parse Local Database go-clam-tls States that go-clam-tls could not parse the local database. This might be because the database was modified in some way. This message is given on initial startup, because the local database files should not be present. Unhealthy
Mirror Database is Older Than Local go-clam-tls States that the mirror database is older than the local version. You should investigate your mirror deployment. Unhealthy
Start clamd clamd States that a clamd daemon is starting. Healthy
Check for Updated Virus Signatures clamd clamd checks if freshclam has updated the local virus signature database. Healthy
Virus Detected clamd Gives the name and location of the virus that was found and the virus signature that it matches. Unhealthy
Virus Removed clamd Gives the name of the virus file that was found and states that the file was deleted. Unhealthy
Virus Moved clamd Gives the name of the virus file found and where it was moved to.
The virus file is deleted from original location.
Unhealthy
Virus Copied clamd Gives the name of the virus file found and where it was copied to.
The virus file remains at original location.
Unhealthy
Process Terminated clamd Both clamd and freshclam should always be running. If the process was terminated, meaning the clamd daemon has stopped, then this error appears and can indicate a problem. Neither on-access scanning nor scheduled scanning is possible if the process state is terminated. Unhealthy
(Will be triggered by deployments)
Start Scheduled Scan clamdscan States when the scan starts. Use the time stamp on the message to determine this. Healthy
Scan Finished clamdscan Gives time elapsed for scan and how many infected files were found. Healthy

freshclam Log Messages

The freshclam job on each VM is responsible for updating the database that stores the known virus signatures.

freshclam log entries relate to whether the virus-signature database is up-to-date.

  • Check for Updates

    ClamAV update process started at Wed Nov 28 15:58:23 2018
    

  • Update the Virus Database

    Downloading main.cvd [100%]
    main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    Downloading daily.cvd [100%]
    daily.cvd updated (version: 25135, sigs: 2155329, f-level: 63, builder: neo)
    Downloading bytecode.cvd [100%]
    bytecode.cvd updated (version: 327, sigs: 91, f-level: 63, builder: neo)
    Database updated (6721669 signatures) from pivotal-anti-virus-mirror.s3.amazonaws.com (IP: 52.216.169.19)
    

  • Virus Database Is Up-to-Date

    main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    daily.cvd is up to date (version: 25135, sigs: 2155329, f-level: 63, builder: neo)
    bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
    

  • Cannot Download CLD Database Files

    WARNING: getfile: Unknown response from pivotal-anti-virus-mirror.s3.amazonaws.com (IP: 52.216.233.147): HTTP/1.1 403
    WARNING: Can't download main.cld from pivotal-anti-virus-mirror.s3.amazonaws.com
    WARNING: getfile: Unknown response from pivotal-anti-virus-mirror.s3.amazonaws.com (IP: 52.216.233.147): HTTP/1.1 403
    WARNING: Can't download daily.cld from pivotal-anti-virus-mirror.s3.amazonaws.com
    WARNING: getfile: Unknown response from pivotal-anti-virus-mirror.s3.amazonaws.com (IP: 52.216.233.147): HTTP/1.1 403
    WARNING: Can't download bytecode.cld from pivotal-anti-virus-mirror.s3.amazonaws.com

  • Virus Database is Older Than 7 Days

    [LibClamAV] **************************************************
    [LibClamAV] ***  The virus database is older than 7 days!  ***
    [LibClamAV] ***   Please update it as soon as possible.    ***
    [LibClamAV] **************************************************
    

  • Process Terminated

    Update process terminated
    

go-clam-tls Log Messages

The go-clam-tls job on each VM is responsible for updating the database that stores the known virus signatures.

go-clam-tls log entries relate to whether the virus-signature database is up-to-date.

  • Check for Updates

    2019/10/03 20:30:20 go-clam-tls update process started
    

  • Update the Virus Database

    2019/10/03 20:40:15 go-clam-tls update process started
    2019/10/03 20:40:15 Warning: could not parse local main.cvd header: open /var/vcap/data/antivirus/main.cvd: no such file or directory
    2019/10/03 20:40:26 main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr, build timestamp: 07 Jun 2017 17-38 -0400)
    2019/10/03 20:40:26 Warning: could not parse local daily.cvd header: open /var/vcap/data/antivirus/daily.cvd: no such file or directory
    2019/10/03 20:40:31 daily.cvd updated (version: 25591, sigs: 1793277, f-level: 63, builder: raynman, build timestamp: 03 Oct 2019 04-30 -0400)
    2019/10/03 20:40:31 Warning: could not parse local bytecode.cvd header: open /var/vcap/data/antivirus/bytecode.cvd: no such file or directory
    2019/10/03 20:40:31 bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg, build timestamp: 19 Sep 2019 12-12 -0400)
    2019/10/03 20:40:31 Clamd socket response: RELOADING
    
    2019/10/03 20:40:31 Databases successfully updated

  • Using CLD Database Files

    2019/10/03 20:42:31 go-clam-tls update process started
    2019/10/03 20:42:31 Anti-Virus Mirror antivirus-mirror.service.internal:6501 returned 404 for main.cvd, trying main.cld...
    2019/10/03 20:42:31 Warning: could not parse local main.cld header: open /var/vcap/data/antivirus/main.cld: no such file or directory
    2019/10/03 20:42:38 main.cld updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr, build timestamp: 07 Jun 2017 17-38 -0400)
    2019/10/03 20:42:38 Anti-Virus Mirror antivirus-mirror.service.internal:6501 returned 404 for daily.cvd, trying daily.cld...
    2019/10/03 20:42:38 Warning: could not parse local daily.cld header: open /var/vcap/data/antivirus/daily.cld: no such file or directory
    2019/10/03 20:42:38 daily.cld updated (version: 25591, sigs: 1793277, f-level: 63, builder: raynman, build timestamp: 03 Oct 2019 04-30 -0400)
    2019/10/03 20:42:38 Anti-Virus Mirror antivirus-mirror.service.internal:6501 returned 404 for bytecode.cvd, trying bytecode.cld...
    2019/10/03 20:42:38 Warning: could not parse local bytecode.cld header: open /var/vcap/data/antivirus/bytecode.cld: no such file or directory
    2019/10/03 20:42:38 bytecode.cld updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg, build timestamp: 19 Sep 2019 12-12 -0400)
    2019/10/03 20:42:38 Clamd socket response: RELOADING
    
    2019/10/03 20:42:38 Databases successfully updated

  • Virus Database Is Up-to-Date

    2019/10/03 20:30:21 main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr, build timestamp: 07 Jun 2017 17-38 -0400)
    2019/10/03 20:30:21 daily.cvd is up to date (version: 25591, sigs: 1793277, f-level: 63, builder: raynman, build timestamp: 03 Oct 2019 04-30 -0400)
    2019/10/03 20:30:21 bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg, build timestamp: 19 Sep 2019 12-12 -0400)
    

  • Virus Database is Older Than 7 Days

    2019/10/03 20:51:14


    *** The virus database is older than 7 days! *** *** Please update it as soon as possible. ***


  • Failed to Parse Local Database

    2019/10/03 20:40:15 Warning: could not parse local main.cvd header: open /var/vcap/data/antivirus/main.cvd: no such file or directory
    

  • Mirror Database is Older Than Local

    2019/10/03 20:40:15 Warning: Current daily.cvd is version 25592 and remote version is 25591
    

clamd Log Messages

clamd is the antivirus scanner that searches for viruses. The clamd job uses the database of virus signatures that the freshclam job updates.

  • Start clamd

    Wed Nov 28 15:58:47 2018 -> +++ Started at Wed Nov 28 15:58:47 2018
    Wed Nov 28 15:59:02 2018 -> Self checking every 600 seconds.
    

  • Check for Updated Virus Signatures

    SelfCheck: Database status OK.
    
    SelfCheck: Database modification detected. Forcing reload
    
    No stats for Database check - forcing reload
    

  • Virus Detected

    /var/vcap/data/test.txt: Eicar-Test-Signature FOUND
    

  • Virus Removed

    /var/vcap/data/test.txt: Removed.
    

  • Virus Moved

    /var/vcap/data/test.txt: moved to '/var/vcap/data/antivirus/found/test.txt.001'
    

  • Virus Copied

    /var/vcap/data/test.txt: copied to '/var/vcap/data/antivirus/found/test.txt.001'
    

  • Process Terminated

    Wed Nov 28 19:25:23 2018 -> Pid file removed.
    Wed Nov 28 19:25:23 2018 -> --- Stopped at Wed Nov 28 19:25:23 2018
    Wed Nov 28 19:25:23 2018 -> Socket file removed.
    

clamdscan Log Messages

clamdscan searches files and directories for viruses.

  • Start Scheduled Scan

    This is not provided in ClamAV Add-on for PCF v1.4.38 and earlier.

    Starting scheduled scan
    
  • Scan Finished

    This is not provided in ClamAV Add-on for PCF v1.4.38 and earlier.

    Sample:

    ----------- SCAN SUMMARY -----------
    Infected files: 1
    Time: 346.887 sec (5 m 46 s)
    

Container Log Messages

Examples of ClamAV log entries from Garden containers and Docker containers are as follows:

  • For a Garden container in VMware Tanzu Application Service for VMs (TAS for VMs)

    /var/vcap/data/grootfs/store/unprivileged/images/2264d474-3e57-4934-504f-ddbb/diff/home/vcap/app/public/test.html:
    Eicar-Test-Signature FOUND
    

  • For a Docker container in VMware PKS (PKS)

    /var/vcap/store/docker/docker/overlay2/53322c6f7c25bb00224bb03cdfc285e141471d746d5c7a8c5a65db56fda56ecb/diff/test.html:
    Eicar-Test-Signature FOUND
    

Anti-Virus Log Format

The logs that Anti-Virus itself outputs do not adhere to a specific structure. However, the syslog forwarder component (which is on all VMs) encapsulates Anti-Virus’s log, and prepends the necessary headers so that the resulting logs adhere to the syslog format.

With syslog-forwarder, the syslog format is:

    <PRI> \
    VERSION \
    TIMESTAMP \
    HOST \
    APP-NAME \
    PROC-ID \
    MSG-ID \
    [instance@47450 \
    director="DIRECTOR" \
    deployment="DEPLOYMENT" \
    group="INSTANCE-GROUP" \
    az="AVAILABILITY-ZONE" \
    id="ID"] \
    MESSAGE \

Where:

  • <PRI> is <14>.
  • APP-NAME is freshclam, clamdscan, or clamd.
  • MESSAGE is the output from an Anti-Virus app. Examples of the output messages are shown in Log Messages above.

For example, the first two lines of the “Scan Finished” message appearing in the syslog file below:

<14> \
1 \
2018-12-07T21:48:02.119539Z \
10.0.0.3 \
clamav \
rs2 \
- \
[instance@12345 \
director="" \
deployment="clamav-trusty-aaaa-80" \
group="clamav" \
az="z1" \
id="abcdef01-8901-42a5-ad58-8b4c1a2de881"] \
----------- SCAN SUMMARY -----------
<14> \
1 \
2018-12-07T21:48:02.11954Z \
10.0.0.3 \
clamav \
rs2 \
- \
[instance@12345 \
director="" \
deployment="clamav-trusty-rlee-80" \
group="clamav" \
az="z1" \
id="abcdef01-8901-42a5-ad58-8b4c1a2de881"] \
Infected files: 0

For more information, see Format in the syslog-release GitHub repository.