Request for Guidance on ClamAV Integration with Wazuh for Malware Detection

29 views
Skip to first unread message

YASHWANTH S

unread,
Feb 27, 2026, 12:18:11 AM (6 days ago) Feb 27
to Wazuh | Mailing List

Hi Wazuh Team,

We have been extensively using Wazuh for its File Integrity Monitoring (FIM) capabilities across our enterprise environment.

Currently, we are working on integrating ClamAV with Wazuh to detect malicious files on our servers. We have successfully installed ClamAV and are able to see its service status reflected in the Wazuh dashboard. However, malicious file detections are not appearing in the dashboard as expected.

Our objective is to use ClamAV as an alternative to the VirusTotal integration. With VirusTotal, every file under the monitored directories is scanned and compared against the VirusTotal database repeatedly. Since we monitor paths generated through Jenkins build processes, the same files are recreated frequently and scanned multiple times, leading to excessive and repetitive log generation.

In contrast, ClamAV performs real-time malware detection and only flags files that are actually malicious, without repeatedly scanning unchanged files. This behavior aligns better with our operational requirements and helps reduce unnecessary log volume.

Could you please provide detailed guidance or best practices for properly integrating ClamAV with Wazuh so that malware detections are accurately reflected in the Wazuh dashboard? Specifically, we would appreciate:

  • Recommended integration method (e.g., log-based integration, active response, or custom rules)

  • Sample configuration for Wazuh agent and manager

  • Any required decoders or rules to parse ClamAV alerts

  • Dashboard configuration steps to visualize detected malicious files

Your support and detailed documentation references would be greatly appreciated.

Thank you in advance for your assistance.

Best regards,
Yashwanth 

Himanshu Sharma

unread,
Feb 27, 2026, 12:55:10 AM (6 days ago) Feb 27
to Wazuh | Mailing List

Hi Team,

Wazuh detects malicious files through integration with ClamAV, a free and open-source antimalware engine for detecting various types of malware, including viruses and trojans.

You can configure ClamAV and collect its logs from Linux and Windows endpoints. To collect ClamAV logs from Linux endpoints

  1. Open the configuration file:

    /etc/clamav/clamd.conf

  2. Uncomment the following line (remove the # at the beginning):

    LogSyslog true

This will forward ClamAV logs to the system log at /var/log/syslog, which is already monitored by the Wazuh agent. No further changes are required.

If you're unable to find the logs being forwarded to the Wazuh manager, you can enable log reading directly from the Wazuh agent by adding the following configuration to the ossec.conf file located at /var/ossec/etc/ossec.conf

<localfile> <log_format>syslog</log_format> <location>/var/log/syslog</location> </localfile>

Please restart the wazuh agent after adding the configuration using the command given below:

systemctl restart wazuh-agent

Wazuh has decoders for ClamAV logs out-of-the-box. Therefore, you don’t need to create any decoders for these logs. The decoders and rules in place to process ClamAV logs, so we don't need to create custom rules and decoders.

  • Decoder file: 0075-clamav_decoders.xml

  • Rules file: 0320-clam_av_rules.xml

Reference:

ClamAV logs collection - Malware detection · Wazuh documentation

Reply all
Reply to author
Forward
0 new messages