Wazuh ClamAV Windows Logs
18 views
Skip to first unread message
Max
Jan 16, 2026, 6:59:28 AM (2 days ago) Jan 16
to Wazuh | Mailing List
Hi everyone,
I need help with the creation of custom decoders and rules for ClamAV logs coming from a windows endpoint.
Since for now the base decoder and rule for ClamAV are only for Linux.
I attached an example log for freshclam.
I need help with the creation of custom decoders and rules for ClamAV logs coming from a windows endpoint.
Since for now the base decoder and rule for ClamAV are only for Linux.
I attached an example log for freshclam.
Thank you and best regards,
Max
Max
Chukwudalu Chisimdi Okonkwo
Jan 16, 2026, 11:42:11 AM (2 days ago) Jan 16
to Wazuh | Mailing List
Hello max,
I have received the log files and will work on them asap
I have received the log files and will work on them asap
Chukwudalu Chisimdi Okonkwo
Jan 16, 2026, 11:54:47 AM (2 days ago) Jan 16
to Wazuh | Mailing List
Hello Max,
Thank you for sharing these ClamAV logs. Having reviewed them, I can say these are Operational Logs demonstrating excellent proof that the ClamAV engine is healthy and successfully checking for signature updates, which is great.
However, from a threat-monitoring perspective, these entries are informational rather than actionable because they don't contain security-specific data (like file scan results, malware hits, or service failures) and they can't be used to correlate an attack or alert on suspicious behaviour. If you have other log samples containing these, I can assist with the creation of the decoder and rules if needed.
Do let me know how you would like to proceed with this
Thank you for sharing these ClamAV logs. Having reviewed them, I can say these are Operational Logs demonstrating excellent proof that the ClamAV engine is healthy and successfully checking for signature updates, which is great.
However, from a threat-monitoring perspective, these entries are informational rather than actionable because they don't contain security-specific data (like file scan results, malware hits, or service failures) and they can't be used to correlate an attack or alert on suspicious behaviour. If you have other log samples containing these, I can assist with the creation of the decoder and rules if needed.
Do let me know how you would like to proceed with this
Reply all
Reply to author
Forward
0 new messages