ClamAV Wazuh integration

[Srikar Naramsetty]

Hi,

I found from google that Wazuh has out of box support for ClamAV. But I couldn't find any details of how to configure the agents to process the ClamAV alerts. Can you guide me how to do this integration?

Thanks a lot,

Srikar

[Fernando G.]

Hi Srikar,

Although we provide very little documentation about it, Wazuh has indeed integration with ClamAV. To be more precise, it can fetch and decode ClamAV's logs. This can be achieved by two ways:

1º Forward every ClamAV log to Syslog(/var/log/syslog).  

Uncomment LogSyslog true in /etc/clamav/clamd.conf .  Wazuh reads by default said file, so no further work is needed.

2º Read from ClamAV's default log file(/var/log/clamav/freshclam.log)

If for whatever reason you don't want to enable Syslog, Wazuh can decode other files as long as they use Syslog format, such as freshclam.log. Just write the following lines in the agent's configuration file(/var/ossec/etc/ossec.conf):

<localfile>
<log_format>syslog</log_format>
<location>/var/log/clamav/freshclam.log</location>
</localfile>

Hope it helps,

Fernando