Jeff Weinberger wrote: > > Thanks Dennis - much appreciated!! > > I've looked at the log files and all they are recording is the virus- > updated-induced reloads. So I'm not sure what's happening. > > I assume ClamAV would only report anything at all (even to log files) > if it was handed a message and found it to have a virus. If it had no > virus, I assume ClamAV would deliver it as clean. > > The question is: if I were to look at the log file, what would/should > I see there if: > > 1) ClamAV found something to be a virus? or > 2) Clam AV processed a message that had no virus in it >
In my configuration I have clamd and freshclam logging to syslog using local6. This way all logging shows up in a common file. Here is a section of today's log and includes some FOUND viruses, attempts by freshclam to download new signatures, and a notification to clamd that it successfully downloaded signatures. The lines are long and will linewrap - all lines begin with Aug 10. I don't have LogClean enabled so only found signatures are reported. Aug 10 04:51:29 rainier clamd[7572]: [ID 702911 local6.info] SelfCheck: Database status OK. Aug 10 05:23:17 rainier last message repeated 1 time Aug 10 05:43:17 rainier freshclam[21878]: [ID 702911 local6.info] ClamAV update process started at Sun Aug 10 05:43:17 2008 Aug 10 05:43:17 rainier freshclam[21878]: [ID 702911 local6.info] main.cvd is up to date (version: 47, sigs: 312304, f-level: 31, builder: sven) Aug 10 05:43:39 rainier clamd[7572]: [ID 702911 local6.info] /var/spool/jchkmail/489EE272.000.0000: Email.Malware.Sanesecurity.08062502 FOUND Aug 10 05:43:51 rainier freshclam[21878]: [ID 702911 local6.info] nonblock_connect: connect timing out (30 secs) Aug 10 05:43:51 rainier freshclam[21878]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) Aug 10 05:43:51 rainier freshclam[21878]: [ID 702911 local6.info] Trying host db.ca.clamav.net (208.70.244.158)... Aug 10 05:43:51 rainier freshclam[21878]: [ID 702911 local6.info] Downloading daily-7999.cdiff [100%] Aug 10 05:43:52 rainier freshclam[21878]: [ID 702911 local6.info] daily.cld updated (version: 7999, sigs: 82973, f-level: 33, builder: ccordes) Aug 10 05:43:52 rainier freshclam[21878]: [ID 702911 local6.info] Database updated (395277 signatures) from db.ca.clamav.net (IP: 208.70.244.158) Aug 10 05:43:52 rainier freshclam[21878]: [ID 702911 local6.info] Clamd successfully notified about the update. Aug 10 06:22:15 rainier clamd[7572]: [ID 702911 local6.info] SelfCheck: Database modification detected. Forcing reload. Aug 10 06:22:15 rainier clamd[7572]: [ID 702911 local6.info] Reading databases from /usr/local/share/clamav Aug 10 06:22:42 rainier clamd[7572]: [ID 702911 local6.info] Database correctly reloaded (433857 signatures) Aug 10 06:39:20 rainier clamd[7572]: [ID 702911 local6.info] /var/spool/jchkmail/489EEF7B.000.0000: Email.Hdr.Sanesecurity.08022900 FOUND Aug 10 07:05:49 rainier clamd[7572]: [ID 702911 local6.info] SelfCheck: Database status OK. Aug 10 07:34:42 rainier freshclam[25217]: [ID 702911 local6.info] ClamAV update process started at Sun Aug 10 07:34:42 2008 Aug 10 07:34:42 rainier freshclam[25217]: [ID 702911 local6.info] main.cvd is up to date (version: 47, sigs: 312304, f-level: 31, builder: sven) Aug 10 07:34:42 rainier freshclam[25217]: [ID 702911 local6.info] daily.cld is up to date (version: 7999, sigs: 82973, f-level: 33, builder: ccordes) _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
