clamav-milter 0.95.1 logging deficiencies

Discussion:

Kevin Clark

2009-04-15 16:24:17 UTC

I'm following up on a previous post about logging to maillog:

http://lurker.clamav.net/message/20090408.063308.16623e5a.en.html

I am using Sendmail 8.13 on CentOS-4 but whereas previously with 0.94.2 I would get a log entry in /var/log/maillog for every scanned message I now only get a log event for infected messages or those with an existing "X-Virus-Scanned" or "X-Virus-Status" header.

I have configured clamd to log every scanning event to /var/log/clamav/clamd.log but whereas before it would log a message ID and status I can now only get entries like these:

Wed Apr 15 11:01:53 2009 -> fd[11]: OK
Wed Apr 15 11:04:36 2009 -> fd[11]: Eicar-Test-Signature FOUND
Wed Apr 15 11:04:36 2009 -> fd[11]: OK

I would appreciate some guidance on whether I am missing something obvious in the configuration that would allow me to:

1) log every scanning event in /var/log/maillog
2) get more detailed log entries in /var/log/clamav/clamd.log

For reference, my configuration is:

[***@gateway mail]# clamconf
ClamAV engine version: 0.95.1
Checking configuration files in /etc

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamd.log"
LogFileUnlock disabled
LogFileMaxSize = "2097152"
LogTime = "yes"
LogClean = "yes"
LogSyslog = "yes"
LogFacility = "LOG_LOCAL6"
LogVerbose = "yes"
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory = "/tmp"
DatabaseDirectory = "/var/lib/clamav"
LocalSocket = "/var/run/clamav/clamd.sock"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "10"
ReadTimeout = "120"
CommandReadTimeout = "5"
SendBufTimeout = "500"
MaxQueue = "50"
IdleTimeout = "30"
ExcludePath = "^/proc/", "^/sys/"
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks = "yes"
FollowFileSymlinks disabled
SelfCheck = "600"
VirusEvent = "no"
ExitOnOOM = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups disabled
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
MailFollowURLs disabled
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
HeuristicScanPrecedence = "yes"
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
ScanPDF = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted = "yes"
MaxScanSize = "52428800"
MaxFileSize = "26214400"
MaxRecursion = "10"
MaxFiles = "10000"
ClamukoScanOnAccess disabled
ClamukoScanOnOpen disabled
ClamukoScanOnClose disabled
ClamukoScanOnExec disabled
ClamukoIncludePath disabled
ClamukoExcludePath disabled
ClamukoMaxFileSize = "5242880"
DevACOnly disabled
DevACDepth disabled

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/clamav-milter.log"
LogFileUnlock disabled
LogFileMaxSize = "2097152"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose = "yes"
PidFile = "/var/run/clamav/clamav-milter.pid"
TemporaryDirectory = "/tmp"
FixStaleSocket = "yes"
MaxThreads = "10"
ReadTimeout = "120"
Foreground disabled
User = "clamav"
AllowSupplementaryGroups disabled
MaxFileSize = "26214400"
ClamdSocket = "unix:/var/run/clamav/clamd.sock"
MilterSocket = "local:/var/run/clamav/clamav-milter.sock"
LocalNet disabled
OnClean = "Accept"
OnInfected = "Reject"
OnFail = "Defer"
RejectMsg = "%v detected"
AddHeader = "yes"
Chroot disabled
Whitelist = "/etc/mail/clamav-whitelist"
SkipAuthenticated disabled
LogInfected = "Basic"

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

aCaB

2009-04-15 17:54:16 UTC

Permalink

Post by Kevin Clark
http://lurker.clamav.net/message/20090408.063308.16623e5a.en.html
I am using Sendmail 8.13 on CentOS-4 but whereas previously with 0.94.2 I would get a log entry in /var/log/maillog for every scanned message I now only get a log event for infected messages or those with an existing "X-Virus-Scanned" or "X-Virus-Status" header.
LogSyslog disabled
LogFacility = "LOG_LOCAL6"

If you want messages logged to syslog, please config those options properly.
Clamd has got no idea about message ids. Clamav-milter does. The place
to look for them is therefore clamav-milter.log (or syslog if you follow
the advice above).
See above.

Post by Kevin Clark
1) log every scanning event in /var/log/maillog

In *clamav-milter.conf* set:
LogSyslog yes
LogFacility LOG_MAIL
LogInfected Basic or LogInfected Full

Post by Kevin Clark
2) get more detailed log entries in /var/log/clamav/clamd.log

If "more detailed" means "i want the message id's" then forget about
that. Clamd does not know what a message id is.
Again, the place for id's is clamav-milter's log.

HtH,
--acab

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Kevin Clark

2009-04-16 10:51:09 UTC

Permalink

Post by Kevin Clark

Post by Kevin Clark
http://lurker.clamav.net/message/20090408.063308.16623e5a.en.html
I am using Sendmail 8.13 on CentOS-4 but whereas previously with

0.94.2 I would get a log entry in /var/log/maillog for every scanned
message I now only get a log event for infected messages or those with
an existing "X-Virus-Scanned" or "X-Virus-Status" header.

Post by Kevin Clark
LogSyslog disabled
LogFacility = "LOG_LOCAL6"

If you want messages logged to syslog, please config those options properly.

Post by Kevin Clark
I have configured clamd to log every scanning event to

/var/log/clamav/clamd.log but whereas before it would log a message ID
Clamd has got no idea about message ids. Clamav-milter does. The place
to look for them is therefore clamav-milter.log (or syslog if you follow
the advice above).

Post by Kevin Clark
I would appreciate some guidance on whether I am missing something

See above.

Post by Kevin Clark
1) log every scanning event in /var/log/maillog

LogSyslog yes
LogFacility LOG_MAIL
LogInfected Basic or LogInfected Full

Post by Kevin Clark
2) get more detailed log entries in /var/log/clamav/clamd.log

If "more detailed" means "i want the message id's" then forget about
that. Clamd does not know what a message id is.
Again, the place for id's is clamav-milter's log.

I appreciate the quick response but I'm sorry to say that making the changes you suggested to clamav-milter.conf does not have the desired effect.

With these values in clamav-milter.conf...

LogFile /var/log/clamav/clamav-milter.log
LogSyslog yes
LogFacility LOG_MAIL
LogInfected Full

...clamav-milter still does not log every scanning event to either /var/log/maillog or its own logfile /var/log/clamav/clamav-milter.log

Here are the contents of the clamav-milter.log file after clamav-milter is started with this configuration. You can see the process being started and an infected message being logged but there's no indication of the clean message that was sent prior to the infected one.

Thu Apr 16 10:13:38 2009 -> +++ Started at Thu Apr 16 10:13:38 2009
Thu Apr 16 10:13:38 2009 -> Local socket unix:/var/run/clamav/clamd.sock added to the pool (slot 1)
Thu Apr 16 10:13:38 2009 -> Probe for slot 1 returned: success
Thu Apr 16 10:19:49 2009 -> Message n3GAJnia022168 from <root> to <***@xxx.co.uk> with subject 'test infected' message-id '<***@aaa.xxx.co.uk>' date 'Thu, 16 Apr 2009 10:19:48 GMT' infected by Eicar-Test-Signature

The only indication that anything was scanned is given in the clamd.log file:

Thu Apr 16 10:13:47 2009 -> fd[11]: OK
Thu Apr 16 10:19:49 2009 -> fd[11]: Eicar-Test-Signature FOUND
Thu Apr 16 10:19:49 2009 -> fd[11]: OK

And in the message headers when the email arrives on the client:

Date: Thu, 16 Apr 2009 10:13:47 GMT
From: root <***@aaa.xxx.co.uk>
Message-Id: <***@aaa.xxx.co.uk>
To: ***@xxx.co.uk
Subject: test
X-Virus-Scanned: clamav-milter 0.95.1 at aaa
X-Virus-Status: Clean
X-Logged: Logged by aaa.xxx.co.uk as n3GADlDY021695 at Thu Apr 16 10:13:47 2009

Should I report this as a bug?
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

aCaB

2009-04-16 11:36:20 UTC

Permalink

Post by Kevin Clark
I appreciate the quick response but I'm sorry to say that making the changes you suggested to clamav-milter.conf does not have the desired effect.
With these values in clamav-milter.conf...
LogFile /var/log/clamav/clamav-milter.log
LogSyslog yes
LogFacility LOG_MAIL
LogInfected Full
...clamav-milter still does not log every scanning event to either /var/log/maillog or its own logfile /var/log/clamav/clamav-milter.log

Hi Kevin,

As you may guess, "LogInfected" logs infected messages.
Your mail log should already have logs for each mail passed through your
box. With the above setup Clamav milter additionally tells you which of
those mails were infected.

What am I missing?

-acab
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Craig Green

2009-04-16 17:50:12 UTC

Permalink

Post by aCaB

Post by Kevin Clark
...clamav-milter still does not log every scanning event to either /var/log/maillog or its own logfile /var/log/clamav/clamav-milter.log

I believe Kevin is seeking an option similar to clamd's LogClean option
in clamav-milter.

From clamd.conf:

--------

# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
LogClean yes

--------

Cheers,

Craig.
------
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Kevin Clark

2009-04-17 09:56:04 UTC

Permalink

Post by Craig Green

Post by aCaB
What am I missing?

I believe Kevin is seeking an option similar to clamd's LogClean option
in clamav-milter.
--------
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
LogClean yes

Craig is correct - I would like clamav-milter to log clean files as well as infected ones much like it used to.

Also, I like having the log entries in /var/log/maillog because then I have a single log file from which I can determine that a message was scanned by all (or maybe none because of whitelisting) of the Milters we have running on the system.

Cheers,

Kevin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

aCaB

2009-04-17 15:47:05 UTC

Permalink

Post by Kevin Clark
Craig is correct - I would like clamav-milter to log clean files as well as infected ones much like it used to.

Hi Kevin,
I think this is pretty pointless as that would basically duplicate any
line already in the logs. That's expecially true if you are logging via
syslog.
Try opening a request on the bugzilla. It may or may not be considered,
mostly depending on how many people need such a feature.

Post by Kevin Clark
Also, I like having the log entries in /var/log/maillog because then I have a single log file from which I can determine that a message was scanned by all (or maybe none because of whitelisting) of the Milters we have running on the system.

Clamav-milter already gives you enough logging options to achieve that.

-aCaB
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Kevin Clark

2009-04-20 10:18:45 UTC

Permalink

Post by aCaB

Post by Kevin Clark
Craig is correct - I would like clamav-milter to log clean files as
well as infected ones much like it used to.

Hi Kevin,
I think this is pretty pointless as that would basically duplicate any
line already in the logs. That's expecially true if you are logging via
syslog.

Hi aCab,
The results I'm getting show that clamav-milter 0.95.1 does not log clean messages in any log file. Right now I'd happily accept duplication. Anything is better than nothing.

Post by aCaB

Post by Kevin Clark
Also, I like having the log entries in /var/log/maillog because then
I have a single log file from which I can determine that a message was
scanned by all (or maybe none because of whitelisting) of the Milters
we have running on the system.

Clamav-milter already gives you enough logging options to achieve that.

If you are referring to these options:

LogFile /var/log/clamav/clamav-milter.log
LogSyslog yes
LogFacility LOG_MAIL

Then I have evidence to show that this does not result in clean messages getting logged either through syslog or by clamav-milter itself.

So is this a bug?

Kevin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Dennis Peterson

2009-04-17 16:03:02 UTC

Permalink

Post by Kevin Clark

Post by Craig Green

Post by aCaB
What am I missing?

If you are using syslog-ng you can aggregate various facility:level selectors at
the line item level with the match() operator. As a non-functional pseudo code
example:

filter f_virus { (filter (maillog) AND filter (clamlog)) AND NOT match ("regex"); };

This combines all output of the mail log and the milter-clamav log and excludes
what ever is matched by the regular expression.

dp

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml