Re: [Clamav-users] Logging to /var/spool/mail/root
Dennis Peterson wrote: > McGlynn, Sean (DOB) wrote: >> Hello, >> >> The /var/spool/mail/root log files on our servers are logging every file >> that clamav scans, causing the files to become huge. I don't see what >> in our clamd.conf configuration files would be causing this. Our >> configuration file follows - any help would be appreciated. >> > > It looks like what ever is calling clamav is doing that logging. Clam is > logging to /var/log/clam/clamd.log. What process do you call clam with? > Well what a dunce I can be - I misread that to be your syslog file. Sorry for the confusion. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Logging to /var/spool/mail/root
Thanks to all who replied. I received an excellent suggestion from Rob that resolved the issue. This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. If you have received this e-mail in error, or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately if you have received this e-mail by mistake, and delete it from your system. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Peterson Sent: Monday, September 24, 2007 10:12 AM To: ClamAV users ML Subject: Re: [Clamav-users] Logging to /var/spool/mail/root McGlynn, Sean (DOB) wrote: > Hello, > > The /var/spool/mail/root log files on our servers are logging every > file that clamav scans, causing the files to become huge. I don't see > what in our clamd.conf configuration files would be causing this. Our > configuration file follows - any help would be appreciated. > It looks like what ever is calling clamav is doing that logging. Clam is logging to /var/log/clam/clamd.log. What process do you call clam with? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Logging to /var/spool/mail/root
Rob, Thank you again for taking the time to reply, and for providing two useful alternative. The first worked perfectly, and I believe I'll try the second as it would be a much simpler script over all. Thanks again. Sean This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. If you have received this e-mail in error, or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately if you have received this e-mail by mistake, and delete it from your system. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MacGregor Sent: Monday, September 24, 2007 10:06 AM To: ClamAV users ML Subject: Re: [Clamav-users] Logging to /var/spool/mail/root On 9/24/07, McGlynn, Sean (DOB) <[EMAIL PROTECTED]> wrote: > Rob, > > Thank you for your reply. > > So to be clear, cron is calling a script (below). I assume even > though cron is calling a script, rather than the individual commands > in the script, your same suggestion applies? If so, would it be a > matter of adding 1>/dev/null to the end of each line? I'm somewhat > new to Linux, so forgive my elementary queries. Thank you. The easiest approach is to append the following to the line in cron (so you can run the script interactively and see the output): ">/dev/null 2>/dev/null" Alternatively, replace your script with the following: >>>>> #!/bin/sh PARTITIONS="/ /_admin /bin /boot /etc /lib /mnt /opt /sbin /srv /tmp /usr /var" for PARTITION in ${PARTITIONS} do clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan ${PARTITION} >/dev/null 2>&1 done <<<<< Much easier to change where the output is directed now :) If you simply want to scan all disk partitions replace the second line with: PARTITIONS=`df -lP | grep ^/` That will list all the mounted disk partitions that are local to the host in question. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Logging to /var/spool/mail/root
McGlynn, Sean (DOB) wrote: > Hello, > > The /var/spool/mail/root log files on our servers are logging every file > that clamav scans, causing the files to become huge. I don't see what > in our clamd.conf configuration files would be causing this. Our > configuration file follows - any help would be appreciated. > It looks like what ever is calling clamav is doing that logging. Clam is logging to /var/log/clam/clamd.log. What process do you call clam with? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Logging to /var/spool/mail/root
On 9/24/07, McGlynn, Sean (DOB) <[EMAIL PROTECTED]> wrote: > Rob, > > Thank you for your reply. > > So to be clear, cron is calling a script (below). I assume even though > cron is calling a script, rather than the individual commands in the > script, your same suggestion applies? If so, would it be a matter of > adding 1>/dev/null to the end of each line? I'm somewhat new to Linux, > so forgive my elementary queries. Thank you. The easiest approach is to append the following to the line in cron (so you can run the script interactively and see the output): ">/dev/null 2>/dev/null" Alternatively, replace your script with the following: > #!/bin/sh PARTITIONS="/ /_admin /bin /boot /etc /lib /mnt /opt /sbin /srv /tmp /usr /var" for PARTITION in ${PARTITIONS} do clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan ${PARTITION} >/dev/null 2>&1 done < Much easier to change where the output is directed now :) If you simply want to scan all disk partitions replace the second line with: PARTITIONS=`df -lP | grep ^/` That will list all the mounted disk partitions that are local to the host in question. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Logging to /var/spool/mail/root
Rob, Thank you for your reply. So to be clear, cron is calling a script (below). I assume even though cron is calling a script, rather than the individual commands in the script, your same suggestion applies? If so, would it be a matter of adding 1>/dev/null to the end of each line? I'm somewhat new to Linux, so forgive my elementary queries. Thank you. clamscan --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan / clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /_admin clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /bin clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /boot clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /etc clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /lib clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /mnt clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /opt clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /sbin clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /srv clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /tmp clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /usr clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscan /var This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. If you have received this e-mail in error, or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately if you have received this e-mail by mistake, and delete it from your system. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MacGregor Sent: Monday, September 24, 2007 8:43 AM To: ClamAV users ML Subject: Re: [Clamav-users] Logging to /var/spool/mail/root On 9/24/07, McGlynn, Sean (DOB) <[EMAIL PROTECTED]> wrote: > Hello, > > The /var/spool/mail/root log files on our servers are logging every > file that clamav scans, causing the files to become huge. I don't see > what in our clamd.conf configuration files would be causing this. Our > configuration file follows - any help would be appreciated. How are you calling clamav - if it's from cron then remember to redirect the output or, as you're finding, root will get mailed with the output. Otherwise - how about some detail? -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Logging to /var/spool/mail/root
On Mon, Sep 24, 2007 at 08:20:30AM -0400, McGlynn, Sean (DOB) said: > Hello, > > The /var/spool/mail/root log files on our servers are logging every file > that clamav scans, causing the files to become huge. I don't see what > in our clamd.conf configuration files would be causing this. Our > configuration file follows - any help would be appreciated. Figure out what is generating mail to root. Then reconfigure your system so that mail to root goes to a real account instead of the mail spool. -- -- | Stephen Gran | Vitamin C deficiency is apauling. | | [EMAIL PROTECTED] | | | http://www.lobefin.net/~steve | | -- signature.asc Description: Digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Logging to /var/spool/mail/root
On 9/24/07, McGlynn, Sean (DOB) <[EMAIL PROTECTED]> wrote: > Hello, > > The /var/spool/mail/root log files on our servers are logging every file > that clamav scans, causing the files to become huge. I don't see what > in our clamd.conf configuration files would be causing this. Our > configuration file follows - any help would be appreciated. How are you calling clamav - if it's from cron then remember to redirect the output or, as you're finding, root will get mailed with the output. Otherwise - how about some detail? -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Logging to /var/spool/mail/root
Hello, The /var/spool/mail/root log files on our servers are logging every file that clamav scans, causing the files to become huge. I don't see what in our clamd.conf configuration files would be causing this. Our configuration file follows - any help would be appreciated. ## ## Config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled LogFile /var/log/clam/clamd.log # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). # This option disables log file locking. # Default: no #LogFileUnlock yes # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1M LogFileMaxSize 10M # Log time with each message. # Default: no LogTime yes # Also log clean files. Useful in debugging but drastically increases the # log size. # Default: no LogClean no # Use system logger (can work together with LogFile). # Default: no LogSyslog no # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 LogFacility LOG_LOCAL6 # Enable verbose logging. # Default: no LogVerbose no # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled PidFile /var/lib/clamav/clamd.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). #TemporaryDirectory /var/tmp # Path to the database directory. # Default: hardcoded (depends on installation options) #DatabaseDirectory /var/lib/clamav # The daemon works in a local OR a network mode. Due to security reasons we # recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /var/lib/clamav/clamd-socket # Remove stale socket after unclean shutdown. # Default: no FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default: 15 #MaxConnectionQueueLength 30 # Clamd uses FTP-like protocol to receive data from remote clients. # If you are using clamav-milter to balance load between remote clamd daemons # on firewall servers you may need to tune the options below. # Close the connection when the data size limit is exceeded. # The value should match your MTA's limit for a maximum attachment size. # Default: 10M #StreamMaxLength 20M # Limit port range. # Default: 1024 #StreamMinPort 3 # Default: 2048 #StreamMaxPort 32000 # Maximum number of threads running at the same time. # Default: 10 MaxThreads 20 # Waiting for data from a client socket will timeout after this time (seconds). # Value of 0 disables the timeout. # Default: 120 #ReadTimeout 300 # Waiting for a new job will timeout after this time (seconds). # Default: 30 #IdleTimeout 60 # Maximum depth directories are scanned at. # Default: 15 MaxDirectoryRecursion 20 # Follow directory symlinks. # Default: no #FollowDirectorySymlinks yes # Follow regular file symlinks. # Default: no #FollowFileSymlinks yes # Perform a database check. # Default: 1800 (30 min) #SelfCheck 600 # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no VirusEvent /bin/echo "VIRUS ALERT: %v" | /bin/mail -s "ClamAV" -r [EMAIL PROTECTED] [EMAIL PROTECTED] # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges #User vscan # Initialize supplementary group access (clamd must be started by root). # Default: no #AllowSupplementaryGroups no # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes # Don't fork into background. # Default: no Foreground no # Enable debug messages in libclamav. # Default: no #Debug yes # Do not remove temporary files (for debug purposes). # Default: no #LeaveTemporaryFiles yes # Detect Possibly Unwanted Applications. # Default: no #DetectPUA yes # In some cases (eg. complex malware, exploits in graphic files, and others), # ClamAV uses special algorithms to provide accurate detection. This option # controls the algorithmic detection. # Default: yes #AlgorithmicDetection yes ## ## Executable files ## # PE stands for Portable Executable - it's an executable fil