How-To: ClamAV Web Reporting

[americanintel]

I found this little script and thought I would give it a whirl for reporting ClamAV results:

http://pandaemail.sourceforge.net/av-tools/

Demo Here

Download here

Both links can be found on the site above.

There aren't really any instructions but the install file walks you through things and is pretty simple.

I did a cd to /home/myuser/public_html/cgi-bin

then

#wget http://pandaemail.sourceforge.net/download/perl-install.tgz

(expand the url accordingly, it gets truncated here)

Untar the file:
#tar xzvf perl-install.tgz

It then creates a perl-logscan/ directory

#cd perl-logscan/

while you are there

#pico -w readme.txt

you can also take a look at the install.pl file to see what it is going to ask:

#pico -w install.pl

when you are ready to install just do:

#./install.pl

It will walk you through a few questions, language (English is default), what virus scanner you are using (CLAMAV), where to find the logs (mine and most are /var/log/maillog) then it asks where you want your /virus directory which is where it is going to place your files so, for example:

/home/youruser/public_html/cgi-bin/virus/

when it asks you about cycles just leave it at '4', has to do with log rotation, weeks..etc.

It will create the 'virus' directory in your cgi-bin and place the necessary files including crontab.pl which as you might expect reads the logs and generates the reports and display.pl which is the file you want to view in your browser to actually view the reports. You can alter display.pl to change text, colors..etc if you want.

Don't forget to change ownership to your user:

#cd .. (if you are in cgi-bin/virus/)

#pwd
you should be in:
#/home/youruser/public_html/cgi-bin
then
#chown youruser:youruser * -R
or
#chown youruser:youruser virus/ -R

Pretty simple script and setup that will give you weekly graphs, keep in mind that ClamAV will need to be running for a week or more to see any graphs. My ClamAV install is only a day old so I will have to wait a few days for results.

Note: Mod, feel free to move this to the How-To forum if you see fit or feel it is needed there.

 

[deltaned]

got an 500 error :-(
It is 755 the file display.pl
I call the script directly at: domain.com/cgi-bin/virus/display.pl

Something wrong or waiting 24 hours?

 

[americanintel]

My bad, forgot to specify that you need to chown the files to the site owner's name. 755 is the correct permission. Do this:

#cd ..
#pwd
#/home/youruser/public_html/cgi-bin
#chown youruser:youruser * -R
or
#chown youruser:youruser virus/ -R

I will update the instuctions above, let me know if that does the trick for you.

 

[deltaned]

yes it is working

 

[deltaned]

But not updating :-(
Do I set a crontab or something to update the reporting?

 

[americanintel]

Well.. there's the crontab.pl file do a ./crontab.pl and see if it doesn't update the graphs... we may have to email the author beyond that... damn programmers like to code but don't like writing directions/manuals!

 

[deltaned]

I do it a few days ago bot no reaction.
Every thing doesent update :-(

 

[vijay]

Hey Guys
I am the one who wrote it (and got the blame for not documenting it ??) Anyway the program is expected to operate like this along with logrotate

prompt> cat /etc/logrotate.d/clamav
/var/log/clamd.log {
postrotate
/var/htdocs/cgi-bin/virus/crontab.pl
/etc/init.d/clamd restart 2> /dev/null
endscript
create 644 clamav clamav
rotate 20
}

OR
prompt> crontab -l root
20 * * * 0 /usr/sbin/logrotate /etc/logrotate.conf

30 * * * 0 /var/htdocs/cgi-bin/crontab.pl



You need to make sure the clamd logs are ROTATING!! you need make sure permissions are right for the scripts and the files where they are installed. You need to run crontab program AFTER ROTATING the log files and not before rotating the log files.

Good luck

 

[ProWebUK]

Moved to how-to section

Chris

 

[americanintel]

vijay, thanks for the script.... we are still a bit lost.

Part of the problem is the section for installation in the How-To MailScanner/ClamAV/SpamAssassin is still missing some instructions I think:

My /etc/clamav.conf has:

# Uncomment this option to enable logging.
# LogFile must be writable for the user running the daemon.
# Full path is required.
#LogFile /tmp/clamd.log
LogFile /var/log/clamav/clamd.log

Yet there was no clamd.log in that directory.. or anywhere.

I created it, set ownership to clamav... sent an email with the test virus.txt attachment.. clamav caught it.. but it's logging it to /var/log/maillog which is what I have my crontab.pl set to:

$logfile="/var/log/maillog";

/var/log/maillog says:

Mar 22 20:41:03 server MailScanner[1003]: Virus and Content Scanning: Starting
Mar 22 20:41:03 server MailScanner[1003]: /var/spool/MailScanner/incoming/1003/./1B5bqe-0007fH-6u/virus.txt: ClamAV-Test-Signature FOUND
Mar 22 20:41:03 server MailScanner[1003]: Virus Scanning: ClamAV found 1 infections
Mar 22 20:41:03 server MailScanner[1003]: Infected message 1B5bqe-0007fH-6u came from 24.1.167.80
Mar 22 20:41:03 server MailScanner[1003]: Virus Scanning: Found 1 viruses
Mar 22 20:41:04 server MailScanner[1003]: Saved infected "virus.txt" to /var/spool/MailScanner/quarantine/20040322/1B5bqe-0007fH-6u
Mar 22 20:41:04 server MailScanner[1003]: Silent: Delivered 1 messages containing silent viruses
Mar 22 20:41:04 server MailScanner[1003]: Notices: Warned about 1 messages

I think MailScanner is dictating the logging and maybe your script isn't able to pull the clamav info out of the maillog with everything else that is in there... is that the prob?

What are we missing here vijay?

 

[vijay]

MAilscanner has its own logging criterea. as long as clamav is running with logging; clamd daemon writes to ITS log file /var/log/clamd.log or equivalent a line

stream: Win32.Mix FOUND

or if you have timestamping turned on

Tue Mar 23 10:02:58 2004 -> stream: Win32.Mix FOUND

This the information my perl scripts are looking at. My script does not look at the maillog file (typically) as it many times is a permission issue when you runit from the cron job. But it looks at the clamd.log file that is usually 644 permissions with read access to anyone.

I hope that makes sense now.

 

[deltaned]

Hey Guys
I am the one who wrote it (and got the blame for not documenting it ??) Anyway the program is expected to operate like this along with logrotate

prompt> cat /etc/logrotate.d/clamav
/var/log/clamd.log {
postrotate
/var/htdocs/cgi-bin/virus/crontab.pl
/etc/init.d/clamd restart 2> /dev/null
endscript
create 644 clamav clamav
rotate 20
}

OR
prompt> crontab -l root
20 * * * 0 /usr/sbin/logrotate /etc/logrotate.conf

30 * * * 0 /var/htdocs/cgi-bin/crontab.pl

Good luck

This is in my cron:
0 * * * * /usr/bin/freshclam --quiet -l /var/log/clam-update.log
20 * * * * /usr/sbin/logrotate /etc/logrotate.conf
30 * * * 0 /home/user/domains/user.com/public_html/virus/cgi-bin/virus/crontab.pl


But not updating.
Tips of help?

 

[Icheb]

Has anyone gotten ClamAV to log the found virusses ?

I would also like this mod, but whatever I do, I can't get ClamAV to log the found virusses in the /var/log/clamav/clamd.log file...

Chowning the log to user clamav didn't really work.

 

[joh2900]

have a look at mailwatch. Intalled in about 5 minutes, and gives just as good reports if not better.

http://mailwatch.sourceforge.net/

 

[netswitch]

mailwash looks really nice but seems to be quite complex to install too.

Anybody willing to write an how to for it ?

 

[joh2900]

Possibly at the beginning of the week. The INSTALL files has pretty good instructions.

 

[Icheb]

I got it running.

I re'wrote' the parser from the perl script to be able to parse the /var/log/maillog from DA.
It's not entirely perfect, but it should work ok

The first lines of the install.pl are:
note: i changed the grandtotal variable for my own usage...

#!/usr/bin/perl
# This is by vijay vijay\@ericavijay.net version 1.3.7
# Touch the required settings here if you are familiar.
# Easiest thing is change the local language.
$grandtotal="Totalen"; # Needs other language translation
@MONTHS=("Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec");
%COMMANDS=(

After that there's a line mentioning clamav.
You'll need to change that one, to say the following:

"CLAMAV" => "grep 'FOUND' | cut -d: -f5 | cut -d \" \" -f2 | sed -e 's/.*:\(.*\) FOUND/\1/' | grep -v Test",

The rest needs to be the same.

Now, install it, and just say /var/log/maillog is the mail log thingy.

It works quite good here, although i can't show a good demo at the moment, as my virusscanner was down for over a week here...
(MailScanner didn't respond well to a reboot).
But no users complained.

For the fun of it:
cat /var/log/maillog | grep FOUND | cut -d: -f1,2,3,5 | cut -d " " -f1,2,3,6 | sed -e 's/.*:\\(.*\\) FOUND/\\1/' | grep -v Test

A version with times and dates, although i couldn't get it to work...

 

[pilpelet]

Mail watch

Hi to all ,

Could mailwatch work for users as well or just server wide ?

Also any log rotating cron needed for things to work ,

Any tips ?

Thanks ,

 

[pilpelet]

regarding the simple clamav stats .

May i ask why the logs are not rotating , the config is webmin
Mailscaner , sendmail , clamav .

 

[deltaned]

have a look at mailwatch. Intalled in about 5 minutes, and gives just as good reports if not better.

http://mailwatch.sourceforge.net/

Where is the howto?