ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
ClamWin Free Antivirus Forum Index » General Suggestions/Questions
Reply to topic
Consumable scan results
feldrim


Joined: 29 Nov 2022
Posts: 1
Post Posted: Tue Nov 29, 2022 8:25 am Reply with quote
Hi all,

I am using ClamWin and trying to consume ClamWin logs over Wazuh. Since ClamWin creates text reports for scans, I can make Wazuh agent read the file. However, the log format is actually a report, which means it is not formatted like syslog, etc., it is not easy to write a decoder to parse it. The format of logs is not ready to be consumed by another reader except humans.

For instance, successful ClamWin update logs look like:

Code:

--------------------------------------
ClamAV update process started at
...
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)


This is not the best, but it can be consumed with a multline regex pattern searching for the line with "\-+" pattern to start and "^bytecode\.cvd.+$" pattern to finish one log entry. And when it fails, the finishing pattern becomes "^ERROR: Update failed\.$".

Code:

--------------------------------------
ClamAV update process started at Tue Nov 01 15:35:27 2022
...
ERROR: Update failed for database: daily
ERROR: Database update process failed: HTTP GET failed
ERROR: Update failed.


When it comes to scans, it gets messy. The starting pattern becomes "^=+$". If the scan is completed, the finishing pattern becomes "^End Date:.+$".

Code:

=================================================================================
Tue 06/21/2022
08:00 AM

-------------------------------------------------------------------------------

...

----------- SCAN SUMMARY -----------
Known viruses: 8619135
Engine version: 0.103.2
Scanned directories: 40223
Scanned files: 221060
Infected files: 0
Data scanned: 0.00 MB
Data read: 23865.59 MB (ratio 0.00:1)
Time: 296.952 sec (4 m 56 s)
Start Date: 2022:06:21 08:00:02
End Date:   2022:06:21 08:04:59


If scan stops, fails, or cancelled, the log also stops on the last line produced. There is no indicator of the scan's failure or cancellation. Also, Ideally, one scan should have one report, just like current one. But one scan can have many lines of logs, with timestamp, severity, etc. Currently there is no actual logging capability for ClamWin but the human readable reports.

In conclusion, the logging of result is currently unstructured. It would be great if it would be possible to enable syslog or JSON -most likely NDJSON- formatted logging per each event, with a well-defined structure and standard fields using a flag. So that only those who need can enable the feature and consume the logs using an 3rd party.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4937
Location: USA
Post Posted: Tue Nov 29, 2022 4:30 pm Reply with quote
Hello and thanks for this info. It appears to me that we are on our own as ClamWin users. I could be wrong, but I haven't heard from Alch, the lead developer from Australia, in about a year now despite several email attempts. I have not heard from Sherpya, the other developer in Italy for several months. I am no longer using ClamWin personally (I went over to the Dark Side with Clam Av on Linux!), but I still have it installed on my wife's computer to keep in touch, and I try to monitor these forums, but I'm getting awful lonely--most of the posts are from spammers!

Regards,
View user's profileSend private message
Consumable scan results
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
ClamWin Free Antivirus Forum Index » General Suggestions/Questions
 Reply to topic