Hi there,
On Tue, 24 Sep 2019, Lars ?hman wrote:
> Im running clamav as a daemon on a fedora and basically keep it running
> 24/7 except for an occasional update every now and then.
It isn't clear to me from what you've written that you know what the
ClamAV daemon (clamd) actually does. Do you?
> I want the main clamd log to rotate and have the LogFileMaxSize set
> to some small amount for testing purposes and LogRotate set to
> yes. I had no prior experience with any log rotation and here I
> learned that just these settings alone won't suffice to get the logs
> to rotate. Correct me if I'm wrong, but I think I have to set up a
> script to /etc/logrotate.d/ as well.
You stand corrected. :/
Log rotation can be done EITHER by the logrotate system (which usually
uses /etc/logrotate.conf and the files in /etc/logrotate.d) OR by some
other system (such as, in this case, a package which provides clamd).
You do not want both of them trying to do it, and IMO it's better to
leave things like that to the logrotate system - which already rotates
a lot of logs for you. Simply don't set the logrotate configuration
option in clamd.conf (or set it to 'no' which is the default) and then
set up a logrotate configuration by creating a file in /etc/logrotate.d/
like J.R. suggested. (In clamd.conf, that is, if you actually have a
clamd.conf - but we'll look at that later.)
But it gets worse: you can tell clamd to log to a file, or you can
tell it to use what we call 'syslog' instead. The more experienced
administrators tend to use syslog because it offers quite a bit more
flexibility than is usually available from just writing to a file,
including being able to log to remote systems and choosing what kind
of messages to log and what to ignore. There's more than one syslog
daemon that you can use too; I prefer syslog-ng, but let's not get
ahead of ourselves. The downside is a little more configuration but
it really is worth getting used to syslog-style logging.
You can log both to a file *and* through syslog, but most of the time
that would just be a waste of CPU and storage.
For your introduction to all this I suggest you avoid syslog just now,
tell clamd to log to a file, and tell the logrotate system to do what
it does best by using a snippet like one posted by J.R.
> In /etc/logrotate.d/ the only clamav related file is called
> "clamav-update", though.
Not being familiar with how RedHat does things, I'll guess that this
is for the 'freshclam' logs. The databases are normally updated by
the 'freshclam' utility, but they don't have to be. It will usually
be configured to log things when it runs.
> Nothing clamd related. Im pretty lost with the whole log rotation
> thing as I can't understand the connection between the scan.conf
> settings and the inbuilt logrotate on my fedora.
I can't help you with 'scan.conf' because I don't know what it is,
I've never seen a file of that name. It doesn't come with ClamAV
when you get the original sources from clamav.net. I'd hope that
whoever created it also documented it somewhere. Normally I would
expect a file called 'clamd.conf' for the clamd configuration. It
doesn't have to be called that name, but it normally is. If it is
called something else then you can tell clamd on its command line,
see
man clamd
for more information about that.
> If possible I want to be able to keep running clamd without
> interruption while rotating logs when they get too big.
That's the way it's normally done. There's one issue to address; when
the log files are rotated, the thing that's logging has to be told
either to close and re-open its log file (so that it starts writing to
the new, empty file instead of carrying on writing to the old one
which now has a different name) or, if it can't do that, simply to
shut down and restart so that it will find the new, empty file anyway.
Logrotate sends a signal to the thing that's logging to tell it to do
this. You'll note that JR showed a second snippet for freshclam logs,
and he mentioned that he runs freshclam from cron, not as a daemon.
A daemon would need to be told to close and re-open its log after
rotation, but as JR runs his database update process on a schedule
from cron, freshclam shuts down after every update and closes its log
file so that instruction isn't necessary. Incidentally the logrotate
system runs on a schedule from cron (or something like it) as well.
See
man cron
and
man crontab
Please do note that where JR gets his logs to be written might not be
the same places that you will get yours to be written, so the snippets
are really just templates to give you an idea of what's needed.
> How can I achieve this? What configurations do I have to do? What
> scripts do I have to set up? How can I affect the names of the
> stored logs?
The first three questions should be answered by typing
man logrotate
on your system. But as this is what we call a 'man' page it will be
very terse information and you might need more help with it. Give it
a go and see how you get on. Your last question is answered in the
clamd configuration file. I would expect it to be called 'clamd.conf'
and on any sane system there's a man page for that too:
man clamd.conf
If your 'scan.conf' somehow replaces or augments 'clamd.conf', and if
there's no man page for scan.conf, then I think you might need help
from someone more familiar with how RedHat has, er, set things up.
Are you actually going to read these logs?
Have to dash now, hope I didn't skip/mess up too much in my hurry.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml