Mailing List Archive

Hi there,

On Tue, 22 Oct 2019, Frans de Boer wrote:

> Does anybody knows how to make the log output of the ClamAV daemons the same
> as normal log's. That is, with an ISO date, followed by host name,
> program/daemon name and concluding with the real message.

That's normally done by syslog (or equivalent: rsyslog, syslog-ng, ...)
so if you tell the daemon to log via syslog it should be taken care of
for you.

If you're very fussy about the date format you may need to do a little
work, but remember that there's a *lot* of code Out There which parses
the 'standard' Unix-style logs and if you move away from that format
it may come back to bite you later on.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 22-10-2019 22:33, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Tue, 22 Oct 2019, Frans de Boer wrote:
>
>> Does anybody knows how to make the log output of the ClamAV daemons
>> the same as normal log's. That is, with an ISO date, followed by host
>> name, program/daemon name and concluding with the real message.
>
> That's normally done by syslog (or equivalent: rsyslog, syslog-ng, ...)
> so if you tell the daemon to log via syslog it should be taken care of
> for you.
>
> If you're very fussy about the date format you may need to do a little
> work, but remember that there's a *lot* of code Out There which parses
> the 'standard' Unix-style logs and if you move away from that format
> it may come back to bite you later on.
>
Nope, 0.102.0 for instance does not pass the program name. I only get
the '->' characters.

I use to output to individual files, but now I have to use syslog-ng to
capture and filter out unwanted messages of the new clamAV suite.
However, I have to know that a message is indeed coming for one of the
components and not say systemd or others.

I know that I can transform the date into an ISO date and add the host
myself. But having only -> does not tell me if the data came from clamd,
freshclamd or clamonacc.

--- Frans.




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Wed, 23 Oct 2019, Frans de Boer wrote:
> On 22-10-2019 22:33, G.W. Haywood via clamav-users wrote:
>> On Tue, 22 Oct 2019, Frans de Boer wrote:
>>
>>> Does anybody knows how to make the log output of the ClamAV daemons the
>>> same as normal log's. That is, with an ISO date, followed by host name,
>>> program/daemon name and concluding with the real message.
>>
>> That's normally done by syslog (or equivalent: rsyslog, syslog-ng, ...)
>> so if you tell the daemon to log via syslog it should be taken care of
>> for you.
>>
> Nope, 0.102.0 for instance does not pass the program name. I only get the
> '->' characters.

Below is the debug log from your mail as it came in today. The lines
are very long I'm afraid, if your mail client does silly things with
them then they all begin with the date and time. The line from the
clamd scan result is approximately in the middle. This is 0.102rc.

8<--------------------------------------------------------------------------------------------------------------------------------------------
Oct 23 14:05:05 mail6 xm[18320] x9ND4sM7022360: xm_eoh_callback(): [192.34.61.247], [AS14061], return [SMFIS_CONTINUE]
Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360: xm_stats(): [192.34.61.247] +++++++ END EOH CALLBACK +++++++
Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360: xm_body_callback(464) : [192.34.61.247] + chunk length: [1618]
Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add: header: X-Originating-Country: US
Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add: header: X-AS-Number: AS14061 ([DIGITALOCEAN, LLC] [US] [192.34.61.247])
Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter insert (0): header: Received-SPF: pass (mail6.jubileegroup.co.uk: lists.clamav.net: 192.34.61.247 is authorized to use 'clamav-users-bounces@lists.clamav.net' in 'mfrom' identity (mechanism 'mx' matched) client-ip=192.34.61.247; helo=mailmanlists.network)
Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add: header: X-SPF-hello: pass ([mailmanlists.network]=[v=spf1 mx a ip4:192.34.61.247 ip6:2604:A880:400:D0::C0E:2001 ~all])\n\t( DNS lookups=[2] void lookups=[0])
Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add: header: X-SPF-mfrom: pass ([lists.clamav.net]=[v=spf1 mx a ip4:192.34.61.247 ip6:2604:A880:400:D0::C0E:2001 ~all])\n\t( DNS lookups=[2] void lookups=[0])
Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360: xm_greylist_interval(): [192.34.61.247] Rejection rate is [ 310/ 726]=[ 42.70] percent for [AS14061]
Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360: xm_eom_callback(464) : [192.34.61.247] not greylisting WHITELISTED IP
Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add: header: X-Greylist-Delay: WHITELISTED IP [192.34.61.247], transport not delayed by extensible-milter-6.842
Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add: header: X-DKIM-auth: none ([2019-10-23 13:05:06Z mail6.jubileegroup.co.uk] [result=No DKIM signature found in message])
Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360: xm_scan(9600) : [192.34.61.247], Connnecting to ClamAV daemon on [192.168.44.47:3313]...
Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360: xm_scan(9600) : [192.34.61.247], Connnected to ClamAV daemon (version [ClamAV 0.102.0-rc/25597/Wed Oct 9 09:39:14 2019]
Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360: xm_scan(9600) : [192.34.61.247], Attempting to send [4446] bytes to ClamAV daemon from entire_message...
Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360: xm_scan(9600) : [192.34.61.247], Sent [4446] bytes to clamd...
Oct 23 14:05:07 tornado clamd[10873]: instream(192.168.44.25@59038): OK
Oct 23 14:05:07 mail6 xm[18320] x9ND4sM7022360: xm_scan(9600) : [192.34.61.247], clamd on IP [192.168.44.47] port [3313] replied [stream: OK]
Oct 23 14:05:07 mail6 xm[18320] x9ND4sM7022360: xm_scan(9600) : [192.34.61.247], clamd on IP [192.168.44.47] port [3313] scanned [4446] bytes in [0.195] seconds (22.819 kbytes/sec), nothing found in entire_message
Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM8022360: Milter add: header: X-Scanned-OK: extensible-milter version 6.842 using ClamAV version [ClamAV 0.102.0-rc/25597/Wed Oct 9 09:39:14 2019], clamd on IP [192.168.44.47] port [3313], [4446] bytes in [0.652s] at 2019-10-23 13:05:07Z
Oct 23 14:05:07 mail6 xm[18320] x9ND4sM7022360: xm_scripts(): [192.34.61.247] [eom] [ 56] MATCH (CONTINUE) eval(reciprule at line [ 219]) time [0.056393s] [return "CONTINUE" if(!(xm_blacklisted_envfrom($priv_data))...]
Oct 23 14:05:07 mail6 xm[18320] x9ND4sM7022360: xm_eom_callback(): [192.34.61.247], [AS14061], return [SMFIS_CONTINUE]
Oct 23 14:05:07 mail6 xm[18320] x9ND4sM7022360: xm_stats(): [192.34.61.247] +++++++ END EOM CALLBACK +++++++
Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM8022360: --- 250 2.0.0 x9ND4sM8022360 Message accepted for delivery
Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM9022360: <-- QUIT
Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM9022360: --- 221 2.0.0 mail6.jubileegroup.co.uk closing connection
Oct 23 14:05:07 mail6 xm[18320] x9ND4sM7022360: xm_close_callback(): [192.34.61.247] now has [0] open connections to MTA
Oct 23 14:05:07 mail6 xm[18320] x9ND4sM7022360: xm_close_callback(): [192.34.61.247], [AS14061], return [IGNORED_BY_SENDMAIL] [52]
Oct 23 14:05:09 mail6 xm[18320] x9ND4sM7022360: xm_log_endex_message(): [192.34.61.247] +ENDEX US =AS14061 0m 14.51s connect,260 mailmanlists.network P clamav@
Oct 23 14:05:09 mail6 xm[18320] x9ND4sM7022360: xm_stats(): [192.34.61.247] +++++++ END CLOSE CALLBACK +++++++
Oct 23 14:05:22 mail6 clamd[22369] on tornado: Pong
Oct 23 14:06:22 mail6 clamd[22412] on tornado: Pong
Oct 23 14:07:23 mail6 clamd[22430] on tornado: Pong
Oct 23 14:08:22 mail6 clamd[22448] on tornado: Pong
8<--------------------------------------------------------------------------------------------------------------------------------------------

I wonder if we should compare some configurations?

Below I give the relevant part of the configuration file for the clamd
daemon which logged the line in the above log extract which reads:

"Oct 23 14:05:07 tornado clamd[10873]: instream(192.168.44.25@59038): OK"

8<----------------------------------------------------------------------
# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
LogFacility LOG_MAIL
8<----------------------------------------------------------------------

Does that help?

I'm afraid the logging daemon configuration probably won't help you
because the logging server here happens to be running rsyslog. If it
matters, the times are all BST (+0100).

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 23-10-2019 16:08, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Wed, 23 Oct 2019, Frans de Boer wrote:
>> On 22-10-2019 22:33, G.W. Haywood via clamav-users wrote:
>>> On Tue, 22 Oct 2019, Frans de Boer wrote:
>>>
>>>> Does anybody knows how to make the log output of the ClamAV daemons
>>>> the same as normal log's. That is, with an ISO date, followed by
>>>> host name, program/daemon name and concluding with the real message.
>>>
>>> That's normally done by syslog (or equivalent: rsyslog, syslog-ng, ...)
>>> so if you tell the daemon to log via syslog it should be taken care of
>>> for you.
>>>
>> Nope, 0.102.0 for instance does not pass the program name. I only get
>> the '->' characters.
>
> Below is the debug log from your mail as it came in today.  The lines
> are very long I'm afraid, if your mail client does silly things with
> them then they all begin with the date and time.  The line from the
> clamd scan result is approximately in the middle.  This is 0.102rc.
>
> 8<--------------------------------------------------------------------------------------------------------------------------------------------
>
> Oct 23 14:05:05 mail6 xm[18320]   x9ND4sM7022360: xm_eoh_callback():
> [192.34.61.247], [AS14061], return [SMFIS_CONTINUE]
> Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360:                   
> xm_stats(): [192.34.61.247] +++++++ END EOH CALLBACK +++++++
> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360:
> xm_body_callback(464)  : [192.34.61.247]  + chunk length: [1618]
> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
> header: X-Originating-Country: US
> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
> header: X-AS-Number: AS14061 ([DIGITALOCEAN, LLC] [US] [192.34.61.247])
> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter insert (0):
> header: Received-SPF: pass (mail6.jubileegroup.co.uk:
> lists.clamav.net: 192.34.61.247 is authorized to use
> 'clamav-users-bounces@lists.clamav.net' in 'mfrom' identity (mechanism
> 'mx' matched) client-ip=192.34.61.247; helo=mailmanlists.network)
> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
> header: X-SPF-hello: pass ([mailmanlists.network]=[v=spf1 mx a
> ip4:192.34.61.247 ip6:2604:A880:400:D0::C0E:2001 ~all])\n\t( DNS
> lookups=[2] void lookups=[0])
> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
> header: X-SPF-mfrom: pass ([lists.clamav.net]=[v=spf1 mx a
> ip4:192.34.61.247 ip6:2604:A880:400:D0::C0E:2001 ~all])\n\t( DNS
> lookups=[2] void lookups=[0])
> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360:
> xm_greylist_interval(): [192.34.61.247] Rejection rate is [ 310/
> 726]=[ 42.70] percent for [AS14061]
> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360:
> xm_eom_callback(464)  : [192.34.61.247] not greylisting WHITELISTED IP
> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
> header: X-Greylist-Delay: WHITELISTED IP [192.34.61.247], transport
> not delayed by extensible-milter-6.842
> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
> header: X-DKIM-auth: none ([2019-10-23 13:05:06Z
> mail6.jubileegroup.co.uk] [result=No DKIM signature found in message])
> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600)  :
> [192.34.61.247], Connnecting to ClamAV daemon on [192.168.44.47:3313]...
> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600)  :
> [192.34.61.247], Connnected to ClamAV daemon (version [ClamAV
> 0.102.0-rc/25597/Wed Oct  9 09:39:14 2019]
> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600)  :
> [192.34.61.247], Attempting to send [4446] bytes to ClamAV daemon from
> entire_message...
> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600)  :
> [192.34.61.247], Sent [4446] bytes to clamd...
> Oct 23 14:05:07 tornado clamd[10873]: instream(192.168.44.25@59038): OK
> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600)  :
> [192.34.61.247], clamd on IP [192.168.44.47] port [3313] replied
> [stream: OK]
> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600)  :
> [192.34.61.247], clamd on IP [192.168.44.47] port [3313] scanned
> [4446] bytes in [0.195] seconds (22.819 kbytes/sec), nothing found in
> entire_message
> Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
> header: X-Scanned-OK: extensible-milter version 6.842 using ClamAV
> version [ClamAV 0.102.0-rc/25597/Wed Oct  9 09:39:14 2019], clamd on
> IP [192.168.44.47] port [3313], [4446] bytes in [0.652s] at 2019-10-23
> 13:05:07Z
> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_scripts():
> [192.34.61.247] [eom] [ 56] MATCH (CONTINUE) eval(reciprule at line [
> 219]) time [0.056393s] [return "CONTINUE"
> if(!(xm_blacklisted_envfrom($priv_data))...]
> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_eom_callback():
> [192.34.61.247], [AS14061], return [SMFIS_CONTINUE]
> Oct 23 14:05:07 mail6 xm[18320] x9ND4sM7022360:                   
> xm_stats(): [192.34.61.247] +++++++ END EOM CALLBACK +++++++
> Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM8022360: --- 250 2.0.0
> x9ND4sM8022360 Message accepted for delivery
> Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM9022360: <-- QUIT
> Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM9022360: --- 221 2.0.0
> mail6.jubileegroup.co.uk closing connection
> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_close_callback():
> [192.34.61.247] now has [0] open connections to MTA
> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_close_callback():
> [192.34.61.247], [AS14061], return [IGNORED_BY_SENDMAIL] [52]
> Oct 23 14:05:09 mail6 xm[18320]   x9ND4sM7022360:
> xm_log_endex_message(): [192.34.61.247] +ENDEX US =AS14061 0m 14.51s
> connect,260 mailmanlists.network P clamav@
> Oct 23 14:05:09 mail6 xm[18320] x9ND4sM7022360:                   
> xm_stats(): [192.34.61.247] +++++++ END CLOSE CALLBACK +++++++
> Oct 23 14:05:22 mail6 clamd[22369] on tornado: Pong
> Oct 23 14:06:22 mail6 clamd[22412] on tornado: Pong
> Oct 23 14:07:23 mail6 clamd[22430] on tornado: Pong
> Oct 23 14:08:22 mail6 clamd[22448] on tornado: Pong
> 8<--------------------------------------------------------------------------------------------------------------------------------------------
>
>
> I wonder if we should compare some configurations?
>
> Below I give the relevant part of the configuration file for the clamd
> daemon which logged the line in the above log extract which reads:
>
> "Oct 23 14:05:07 tornado clamd[10873]: instream(192.168.44.25@59038): OK"
>
> 8<----------------------------------------------------------------------
> # Use system logger (can work together with LogFile).
> # Default: no
> LogSyslog yes
> # Specify the type of syslog messages - please refer to 'man syslog'
> # for facility names.
> # Default: LOG_LOCAL6
> LogFacility LOG_MAIL
> 8<----------------------------------------------------------------------
>
> Does that help?
>
> I'm afraid the logging daemon configuration probably won't help you
> because the logging server here happens to be running rsyslog.  If it
> matters, the times are all BST (+0100).
>
The thing is, I do use 0.102.0 on my mail server with direct output to
the clamd.log file. However, this is another matter on one of my
workstations (see also the discussion at 17/10; clamonacc behaviour). It
involves files/directories which are created but removed before
clamonacc has passed the scan request to clamd.

I did leave the default for LogFacility and output to syslog, just like
you did.
I switched from rsyslog to syslog-ng because of the uncomprehensible
coding used in rsyslog.

Also a remark: I noticed you used 0.102.0-rc, I used the released
version. Your listing shows the programs name, mine not. That's what
makes it difficult to filter the correct messages.

Anyhow, I will setup things again in the next days and try again, just
to see if I made a mistake somewhere.

To be continued...
Frans.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 23-10-2019 20:35, Frans de Boer wrote:
> On 23-10-2019 16:08, G.W. Haywood via clamav-users wrote:
>> Hi there,
>>
>> On Wed, 23 Oct 2019, Frans de Boer wrote:
>>> On 22-10-2019 22:33, G.W. Haywood via clamav-users wrote:
>>>> On Tue, 22 Oct 2019, Frans de Boer wrote:
>>>>
>>>>> Does anybody knows how to make the log output of the ClamAV
>>>>> daemons the same as normal log's. That is, with an ISO date,
>>>>> followed by host name, program/daemon name and concluding with the
>>>>> real message.
>>>>
>>>> That's normally done by syslog (or equivalent: rsyslog, syslog-ng,
>>>> ...)
>>>> so if you tell the daemon to log via syslog it should be taken care of
>>>> for you.
>>>>
>>> Nope, 0.102.0 for instance does not pass the program name. I only
>>> get the '->' characters.
>>
>> Below is the debug log from your mail as it came in today.  The lines
>> are very long I'm afraid, if your mail client does silly things with
>> them then they all begin with the date and time.  The line from the
>> clamd scan result is approximately in the middle.  This is 0.102rc.
>>
>> 8<--------------------------------------------------------------------------------------------------------------------------------------------
>>
>> Oct 23 14:05:05 mail6 xm[18320]   x9ND4sM7022360: xm_eoh_callback():
>> [192.34.61.247], [AS14061], return [SMFIS_CONTINUE]
>> Oct 23 14:05:06 mail6 xm[18320] x9ND4sM7022360:                   
>> xm_stats(): [192.34.61.247] +++++++ END EOH CALLBACK +++++++
>> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360:
>> xm_body_callback(464)  : [192.34.61.247]  + chunk length: [1618]
>> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
>> header: X-Originating-Country: US
>> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
>> header: X-AS-Number: AS14061 ([DIGITALOCEAN, LLC] [US] [192.34.61.247])
>> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter insert
>> (0): header: Received-SPF: pass (mail6.jubileegroup.co.uk:
>> lists.clamav.net: 192.34.61.247 is authorized to use
>> 'clamav-users-bounces@lists.clamav.net' in 'mfrom' identity
>> (mechanism 'mx' matched) client-ip=192.34.61.247;
>> helo=mailmanlists.network)
>> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
>> header: X-SPF-hello: pass ([mailmanlists.network]=[v=spf1 mx a
>> ip4:192.34.61.247 ip6:2604:A880:400:D0::C0E:2001 ~all])\n\t( DNS
>> lookups=[2] void lookups=[0])
>> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
>> header: X-SPF-mfrom: pass ([lists.clamav.net]=[v=spf1 mx a
>> ip4:192.34.61.247 ip6:2604:A880:400:D0::C0E:2001 ~all])\n\t( DNS
>> lookups=[2] void lookups=[0])
>> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360:
>> xm_greylist_interval(): [192.34.61.247] Rejection rate is [ 310/
>> 726]=[ 42.70] percent for [AS14061]
>> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360:
>> xm_eom_callback(464)  : [192.34.61.247] not greylisting WHITELISTED IP
>> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
>> header: X-Greylist-Delay: WHITELISTED IP [192.34.61.247], transport
>> not delayed by extensible-milter-6.842
>> Oct 23 14:05:06 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
>> header: X-DKIM-auth: none ([2019-10-23 13:05:06Z
>> mail6.jubileegroup.co.uk] [result=No DKIM signature found in message])
>> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600) :
>> [192.34.61.247], Connnecting to ClamAV daemon on [192.168.44.47:3313]...
>> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600) :
>> [192.34.61.247], Connnected to ClamAV daemon (version [ClamAV
>> 0.102.0-rc/25597/Wed Oct  9 09:39:14 2019]
>> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600) :
>> [192.34.61.247], Attempting to send [4446] bytes to ClamAV daemon
>> from entire_message...
>> Oct 23 14:05:06 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600) :
>> [192.34.61.247], Sent [4446] bytes to clamd...
>> Oct 23 14:05:07 tornado clamd[10873]: instream(192.168.44.25@59038): OK
>> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600) :
>> [192.34.61.247], clamd on IP [192.168.44.47] port [3313] replied
>> [stream: OK]
>> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_scan(9600) :
>> [192.34.61.247], clamd on IP [192.168.44.47] port [3313] scanned
>> [4446] bytes in [0.195] seconds (22.819 kbytes/sec), nothing found in
>> entire_message
>> Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM8022360: Milter add:
>> header: X-Scanned-OK: extensible-milter version 6.842 using ClamAV
>> version [ClamAV 0.102.0-rc/25597/Wed Oct  9 09:39:14 2019], clamd on
>> IP [192.168.44.47] port [3313], [4446] bytes in [0.652s] at
>> 2019-10-23 13:05:07Z
>> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_scripts():
>> [192.34.61.247] [eom] [ 56] MATCH (CONTINUE) eval(reciprule at line [
>> 219]) time [0.056393s] [return "CONTINUE"
>> if(!(xm_blacklisted_envfrom($priv_data))...]
>> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360: xm_eom_callback():
>> [192.34.61.247], [AS14061], return [SMFIS_CONTINUE]
>> Oct 23 14:05:07 mail6 xm[18320] x9ND4sM7022360:                   
>> xm_stats(): [192.34.61.247] +++++++ END EOM CALLBACK +++++++
>> Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM8022360: --- 250 2.0.0
>> x9ND4sM8022360 Message accepted for delivery
>> Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM9022360: <-- QUIT
>> Oct 23 14:05:07 mail6 sm-mta[22360] x9ND4sM9022360: --- 221 2.0.0
>> mail6.jubileegroup.co.uk closing connection
>> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360:
>> xm_close_callback(): [192.34.61.247] now has [0] open connections to MTA
>> Oct 23 14:05:07 mail6 xm[18320]   x9ND4sM7022360:
>> xm_close_callback(): [192.34.61.247], [AS14061], return
>> [IGNORED_BY_SENDMAIL] [52]
>> Oct 23 14:05:09 mail6 xm[18320]   x9ND4sM7022360:
>> xm_log_endex_message(): [192.34.61.247] +ENDEX US =AS14061 0m 14.51s
>> connect,260 mailmanlists.network P clamav@
>> Oct 23 14:05:09 mail6 xm[18320] x9ND4sM7022360:                   
>> xm_stats(): [192.34.61.247] +++++++ END CLOSE CALLBACK +++++++
>> Oct 23 14:05:22 mail6 clamd[22369] on tornado: Pong
>> Oct 23 14:06:22 mail6 clamd[22412] on tornado: Pong
>> Oct 23 14:07:23 mail6 clamd[22430] on tornado: Pong
>> Oct 23 14:08:22 mail6 clamd[22448] on tornado: Pong
>> 8<--------------------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> I wonder if we should compare some configurations?
>>
>> Below I give the relevant part of the configuration file for the clamd
>> daemon which logged the line in the above log extract which reads:
>>
>> "Oct 23 14:05:07 tornado clamd[10873]: instream(192.168.44.25@59038):
>> OK"
>>
>> 8<----------------------------------------------------------------------
>> # Use system logger (can work together with LogFile).
>> # Default: no
>> LogSyslog yes
>> # Specify the type of syslog messages - please refer to 'man syslog'
>> # for facility names.
>> # Default: LOG_LOCAL6
>> LogFacility LOG_MAIL
>> 8<----------------------------------------------------------------------
>>
>> Does that help?
>>
>> I'm afraid the logging daemon configuration probably won't help you
>> because the logging server here happens to be running rsyslog. If it
>> matters, the times are all BST (+0100).
>>
> The thing is, I do use 0.102.0 on my mail server with direct output to
> the clamd.log file. However, this is another matter on one of my
> workstations (see also the discussion at 17/10; clamonacc behaviour).
> It involves files/directories which are created but removed before
> clamonacc has passed the scan request to clamd.
>
> I did leave the default for LogFacility and output to syslog, just
> like you did.
> I switched from rsyslog to syslog-ng because of the uncomprehensible
> coding used in rsyslog.
>
> Also a remark: I noticed you used 0.102.0-rc, I used the released
> version. Your listing shows the programs name, mine not. That's what
> makes it difficult to filter the correct messages.
>
> Anyhow, I will setup things again in the next days and try again, just
> to see if I made a mistake somewhere.
>
> To be continued...
> Frans.

I found that I could force the output to syslog-ng by adding the line
StandardOutput=journal - as well as StandardError =journal - and use
filtering in syslog-ng to drop unwanted messages.

Mind you, this works only with systemd 232+

Now all the output of the ClamAV suite is routed and where needed
filtered to and by syslog-ng and still have separate log files.

--- Frans.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml