Re: What is the appropriate configuration for the ...

p1rate5s · ‎03-09-2015

We have setup the ClamAV app for Splunk and are tweaking the config of Clam on the clients to send the appropriate amount of data to Splunk to populate the dashboards. Has anyone done this and can offer the appropriate ClamAV config?

pbalsley · ‎03-09-2015

Yes the easiest way is via syslog.

Run clamav on each host. I run it like this:

/usr/bin/clamscan -i -r $SCAN_DIR $EXCLUDE --log=$LOG_FILE --stdout | logger -i -t clamav -p auth.alert

Also make sure to update freshclam config
- Edit the /etc/freshclam.conf file
- Make sure setting LogSyslog yes is enabled.

If your host already sends all of it's syslog to splunk it should work for you.

woodcock · ‎05-14-2019

Please elaborate. What does this command do? Does it need to be run only once? What are the environment variables supposed to have in them? This is a very incomplete answer.

pbalsley · ‎05-15-2019

A bit more clarity:

The default behavior of the app is to monitor the sourcetype syslog for CLAMAV logs and it looks for the keyword "clamav" in the syslog messages.

The example above will pipe all scan data to "logger" to send it into the syslog system with the correct keyword.

I run a few different clamscans via cron. Some once a day and others once a week. Just depends on how and what you want to scan. It is up to you on how you want to do this. There is no standard. Please read the man page to understand all possible uses.

What is the appropriate configuration for the ClamAV app to send data to Splunk?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!