Discussion:
[clamav-users] Strange behaviors about syslog on Debian
Yasuhiro KIMURA
2018-11-13 22:28:27 UTC
Permalink
Hello,

I use ClamAV 0.100.2 on Debian 9.6. Everything works fine about virus
scan. But when seeing syslog I found 2 strange behaviors.

1. Message is written to syslog even if LogSyslog is false.

On Debian LogSyslog is set to false in both clamd.conf and
frashclam.conf. But there are messages from clamd and freshclam in
/var/log/syslog.

2. Message itself includes timestamp.

I also use ClamAV 0.100.2 on FreeBSD 11.2-RELEASE. On FreeBSD
LogSyslog is set to true and messages such as following are written to
syslog.

Nov 14 06:51:30 freebsd-server freshclam[761]: Received signal: wake up
Nov 14 06:51:30 freebsd-server freshclam[761]: ClamAV update process started at Wed Nov 14 06:51:30 2018
Nov 14 06:51:30 freebsd-server freshclam[761]: main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Nov 14 06:51:30 freebsd-server freshclam[761]: daily.cld is up to date (version: 25117, sigs: 2150146, f-level: 63, builder: neo)
Nov 14 06:51:30 freebsd-server freshclam[761]: bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
Nov 14 06:51:30 freebsd-server freshclam[761]: --------------------------------------
Nov 14 06:53:22 freebsd-server clamd[754]: SelfCheck: Database status OK.

But on Debian message format is different from that of FreeBSD.

Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> Received signal: wake up
Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> ClamAV update process started at Wed Nov 14 06:26:54 2018
Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> daily.cld is up to date (version: 25117, sigs: 2150146, f-level: 63, builder: neo)
Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
Nov 14 06:27:06 debian-server clamd[559]: Wed Nov 14 06:27:06 2018 -> SelfCheck: Database status OK.

It includes timestamp inside message itself.

Then my question is, which of following category these behaviors fall
into?

a. Expected and proper behavior.
b. Bug of ClamAV itself.
c. Result of customization by Debian.
d. Bug of package that should be reported to Debian package maintainer.

Best Regards.

---
Yasuhiro KIMURA
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Scott Kitterman
2018-11-14 02:08:12 UTC
Permalink
Post by Yasuhiro KIMURA
Hello,
I use ClamAV 0.100.2 on Debian 9.6. Everything works fine about virus
scan. But when seeing syslog I found 2 strange behaviors.
1. Message is written to syslog even if LogSyslog is false.
On Debian LogSyslog is set to false in both clamd.conf and
frashclam.conf. But there are messages from clamd and freshclam in
/var/log/syslog.
2. Message itself includes timestamp.
I also use ClamAV 0.100.2 on FreeBSD 11.2-RELEASE. On FreeBSD
LogSyslog is set to true and messages such as following are written to
syslog.
Nov 14 06:51:30 freebsd-server freshclam[761]: Received signal: wake up
Nov 14 06:51:30 freebsd-server freshclam[761]: ClamAV update process
started at Wed Nov 14 06:51:30 2018
Nov 14 06:51:30 freebsd-server freshclam[761]: main.cld is up to date
(version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Nov 14 06:51:30 freebsd-server freshclam[761]: daily.cld is up to date
(version: 25117, sigs: 2150146, f-level: 63, builder: neo)
Nov 14 06:51:30 freebsd-server freshclam[761]: bytecode.cld is up to
date (version: 327, sigs: 91, f-level: 63, builder: neo)
--------------------------------------
Nov 14 06:53:22 freebsd-server clamd[754]: SelfCheck: Database status OK.
But on Debian message format is different from that of FreeBSD.
Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018
-> Received signal: wake up
Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018
-> ClamAV update process started at Wed Nov 14 06:26:54 2018
Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018
-> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60,
builder: sigmgr)
Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018
-> daily.cld is up to date (version: 25117, sigs: 2150146, f-level: 63,
builder: neo)
Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018
-> bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63,
builder: neo)
Nov 14 06:27:06 debian-server clamd[559]: Wed Nov 14 06:27:06 2018 ->
SelfCheck: Database status OK.
It includes timestamp inside message itself.
Then my question is, which of following category these behaviors fall
into?
a. Expected and proper behavior.
b. Bug of ClamAV itself.
c. Result of customization by Debian.
d. Bug of package that should be reported to Debian package maintainer.
Assuming you haven't made an effort to select sys v init on the Debian system, it's running using systemd. FreeBSD is presumably using sys v.

Systemd includes a logging component that probably explains the difference. My guess is a., but almost certainly not b. or c.

Scott K
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Yasuhiro KIMURA
2018-11-15 17:31:55 UTC
Permalink
Hello Scott, Thank you for reply.

From: Scott Kitterman <***@kitterman.com>
Subject: Re: [clamav-users] Strange behaviors about syslog on Debian
Date: Wed, 14 Nov 2018 02:08:12 +0000
Post by Scott Kitterman
Assuming you haven't made an effort to select sys v init on the Debian system, it's running using systemd. FreeBSD is presumably using sys v.
Yes, I use Debian as is so it uses systemd.
Post by Scott Kitterman
Systemd includes a logging component that probably explains the difference.
I didn't know about it. And It sounds convincing that systemd is
source of difference. So I decided to test it with CentOS because
CentOS 6.x uses SysVinit but CentOS 7.x uses systemd.

At first I set up 6.x environment with following conditions.

* CentOS 6.10
* ClamAV 0.100.2 from EPEL(Extra Packages for Enterprise Linux by
Fedora Project)

And result is that ClamAV behaves same as on FreeBSD.

And next I'll setup 7.x and test on it. But I'm away this weekend. So
I'll do it and report result next week.

---
Yasuhiro KIMURA
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Yasuhiro KIMURA
2018-11-24 09:55:05 UTC
Permalink
From: Yasuhiro KIMURA <***@utahime.org>
Subject: Re: [clamav-users] Strange behaviors about syslog on Debian
Date: Fri, 16 Nov 2018 02:31:55 +0900 (JST)
Post by Yasuhiro KIMURA
And next I'll setup 7.x and test on it. But I'm away this weekend. So
I'll do it and report result next week.
Sorry for delay. Hardware trouble happened on my test enviroment and I
couldn't use it until today.

But before it is repaired I got answer about one of my questions.
While I was reading documantation I found there is LogTime directive
for configuration file of both clamd and freshclam. And they were set
to false on CentOS 6 and FreeBSD but true on Debian. So I changed the
value to false on Debian and then timestamp was disappeared from
message. That is, behavior of ClamAV is just as is expected about
timestamp issue.

And I'm going to setup CentOS 7.x from now and will check how it
behaves about syslog issue.

---
Yasuhiro KIMURA
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Yasuhiro KIMURA
2018-11-24 15:52:08 UTC
Permalink
From: Yasuhiro KIMURA <***@utahime.org>
Subject: Re: [clamav-users] Strange behaviors about syslog on Debian
Date: Sat, 24 Nov 2018 18:55:05 +0900 (JST)
Post by Yasuhiro KIMURA
And I'm going to setup CentOS 7.x from now and will check how it
behaves about syslog issue.
I set up CentOS 7.x environment with following conditions.

* CentOS 7.5.1804
* ClamAV 0.100.2 from EPEL(Extra Packages for Enterprise Linux by
Fedora Project)

Next I made following changes.

1. Add following line in /etc/rsyslog.conf
*.*;auth,authpriv.none -/var/log/syslog
2. Set LogSyslog to false in both /etc/freshclam.conf and /etc/clamd.d/scan.conf

And finally I rebooted system. Then result is that clamd didn't write
any message to syslog and executing freshclam didin't either. To make
sure I set LogSyslog to true and reboot again. And this time both
clamd and freshclam wrote message to syslog.

So now syslog issue is proved to be Debian specific. I don't know
where the source of this issue lies. But anyway I'll send bug report
to maintainer of Debian ClamAV package.

---
Yasuhiro KIMURA
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Matus UHLAR - fantomas
2018-11-24 16:06:02 UTC
Permalink
Post by Yasuhiro KIMURA
I set up CentOS 7.x environment with following conditions.
* CentOS 7.5.1804
* ClamAV 0.100.2 from EPEL(Extra Packages for Enterprise Linux by
Fedora Project)
Next I made following changes.
1. Add following line in /etc/rsyslog.conf
*.*;auth,authpriv.none -/var/log/syslog
2. Set LogSyslog to false in both /etc/freshclam.conf and /etc/clamd.d/scan.conf
And finally I rebooted system. Then result is that clamd didn't write
any message to syslog and executing freshclam didin't either. To make
sure I set LogSyslog to true and reboot again. And this time both
clamd and freshclam wrote message to syslog.
So now syslog issue is proved to be Debian specific. I don't know
where the source of this issue lies. But anyway I'll send bug report
to maintainer of Debian ClamAV package.
I use Debian 9 (i386) with sysvinit, no logging to syslog is done.
LogSyslog is set to false everywhere.

I don't see any init (only init.d) files for clamd. Do you see any on your
system?
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Yasuhiro KIMURA
2018-11-24 16:31:47 UTC
Permalink
From: Matus UHLAR - fantomas <***@fantomas.sk>
Subject: Re: [clamav-users] Strange behaviors about syslog on Debian
Date: Sat, 24 Nov 2018 17:06:02 +0100
Post by Matus UHLAR - fantomas
I use Debian 9 (i386) with sysvinit, no logging to syslog is done.
LogSyslog is set to false everywhere.
I don't see any init (only init.d) files for clamd. Do you see any on your
system?
Though I use Debian 9 (x86_64) with systemd, there is
/etc/init.d/clamav-daemon in my system. And there is also following
symbolic links.

***@debian-server[1367]% ll /etc/rc*.d/*clamav-daemon
lrwxrwxrwx 1 root root 23 3月 16 2018 /etc/rc0.d/K01clamav-daemon -> ../init.d/clamav-daemon*
lrwxrwxrwx 1 root root 23 3月 16 2018 /etc/rc1.d/K01clamav-daemon -> ../init.d/clamav-daemon*
lrwxrwxrwx 1 root root 23 3月 16 2018 /etc/rc2.d/S01clamav-daemon -> ../init.d/clamav-daemon*
lrwxrwxrwx 1 root root 23 3月 16 2018 /etc/rc3.d/S01clamav-daemon -> ../init.d/clamav-daemon*
lrwxrwxrwx 1 root root 23 3月 16 2018 /etc/rc4.d/S01clamav-daemon -> ../init.d/clamav-daemon*
lrwxrwxrwx 1 root root 23 3月 16 2018 /etc/rc5.d/S01clamav-daemon -> ../init.d/clamav-daemon*
lrwxrwxrwx 1 root root 23 3月 16 2018 /etc/rc6.d/K01clamav-daemon -> ../init.d/clamav-daemon*

---
Yasuhiro KIMURA
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Matus UHLAR - fantomas
2018-11-27 14:03:14 UTC
Permalink
Post by Yasuhiro KIMURA
Post by Matus UHLAR - fantomas
I use Debian 9 (i386) with sysvinit, no logging to syslog is done.
LogSyslog is set to false everywhere.
I don't see any init (only init.d) files for clamd. Do you see any on
your system?
Though I use Debian 9 (x86_64) with systemd, there is
/etc/init.d/clamav-daemon in my system. And there is also following
symbolic links.
init.d is fine. I was more thinking about "/etc/init/" or other systemd
configuration files. They might execute daeons set up to log to stdout and
systemd would log their output to syslog (or, syslog could pull those logs
from systemd).

as I said, on debian 9 with sysvinit (and syslog-ng) I have no problem like you.
can you check which files are open by clamd and syslog processes?
maybe something similar happens.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Loading...