clamav?

[Barry Kaplan]

Anybody here using clamav? It seems the ossec rules for clamav depend on the syslog format. But clamav-daemon does not run as root, so really it can't scan much of anything. And the clamscan never writes to syslog and its output is in a different format than clamav-daemon. 

Not really an ossec question, but how is clamav useful it cannot see most files?

[Pedro S]

Hi,

Maybe clamav-rules are out-of-date, last update was 4 years ago but Jesus Linares wrote a few improvements few months ago (ClamAV rules).

If clamscan has a different format the decoders won't work properly, you can test the current decoders and rules using logtest:

/var/ossec/bin/ossec-logtest

Feel free to improve them or paste here some log example so we can figure out how to improve them.

Regards,

Pedro S.

[Barry Kaplan]

Looks like the clamav rules are just fine. 

Only the clamav daemon writes to syslog. So I added a rsyslog config:

$ModLoad imfile

$InputFileName {{ clamav_scan_log_file }}
$InputFileTag clamd:
$InputFileStateFile stat-{{ clamav_scan_log_file }}

$InputFileSeverity error
$InputFileFacility local7
$InputRunFileMonitor

Then some cron jobs to run clamscan on directories, eg (where I have the EICAR test signature file in /tmp):

clamscan --log=/var/log/clamav/clamav.log --no-summary --infected --remove=no --recursive=yes /tmp

And magically I get alerts in OSSEC. Very very nice.

[Jesus Linares]

Hi Barry,

It seems your solution is working, but I give you others possible ways to write in syslog:

• freshclam: edit /etc/clamav/freshclam.conf and set "LogSyslog yes"
  
• clamscan: clamscan --infected -r $SCAN_DIRECTORY --log=$LOG_FILE --stdout | logger -i -t clamav
• Example: clamscan --infected -r /usr/share/clamav-testfiles --log=/var/log/clamav/clamav.log --stdout | logger -i -t clamd
  
• clamd: I think, clamd writes in syslog by default.

Regards.

Jesus Linares.

[Barry Kaplan]

On Tuesday, February 23, 2016 at 3:40:29 PM UTC+5:30, Jesus Linares wrote:

 

It seems your solution is working, but I give you others possible ways to write in syslog:

• freshclam: edit /etc/clamav/freshclam.conf and set "LogSyslog yes"
  

I had though that freshclam (which is running as service from the apt package) was already logging to syslog, but I see that it is not.

• clamscan: clamscan --infected -r $SCAN_DIRECTORY --log=$LOG_FILE --stdout | logger -i -t clamav

Very nice, I was not aware of logger. I will change over to this. (FYI, the ossec decoder expects the programto be 'clamd' not 'clamav'.)

• clamd: I think, clamd writes in syslog by default.

Yes, this is what I started with, using clamdscan instead. But clamd runs as clamav user, and hence did not have privs to see pretty much anything. I tried configuring apparmor to give it access specified directories but that did not seem work. 

thanks much Jesus