We have setup the ClamAV app for Splunk and are tweaking the config of Clam on the clients to send the appropriate amount of data to Splunk to populate the dashboards. Has anyone done this and can offer the appropriate ClamAV config?
The default behavior of the app is to monitor the sourcetype syslog for CLAMAV logs and it looks for the keyword "clamav" in the syslog messages.
The example above will pipe all scan data to "logger" to send it into the syslog system with the correct keyword.
I run a few different clamscans via cron. Some once a day and others once a week. Just depends on how and what you want to scan. It is up to you on how you want to do this. There is no standard. Please read the man page to understand all possible uses.