Looks like the clamav rules are just fine.
Only the clamav daemon writes to syslog. So I added a rsyslog config:
$ModLoad imfile
$InputFileName {{ clamav_scan_log_file }}
$InputFileTag clamd:
$InputFileStateFile stat-{{ clamav_scan_log_file }}
$InputFileSeverity error
$InputFileFacility local7
$InputRunFileMonitor
Then some cron jobs to run clamscan on directories, eg (where I have the
EICAR test signature file in /tmp):
clamscan --log=/var/log/clamav/clamav.log --no-summary --infected --remove=
no --recursive=yes /tmp
And magically I get alerts in OSSEC. Very very nice.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
