Yes the easiest way is via syslog.
Run clamav on each host. I run it like this:
/usr/bin/clamscan -i -r $SCAN_DIR $EXCLUDE --log=$LOG_FILE --stdout | logger -i -t clamav -p auth.alert
Also make sure to update freshclam config
- Edit the /etc/freshclam.conf file
- Make sure setting
LogSyslog yes is enabled.
If your host already sends all of it's syslog to splunk it should work for you.
A bit more clarity:
The default behavior of the app is to monitor the sourcetype syslog for CLAMAV logs and it looks for the keyword "clamav" in the syslog messages.
The example above will pipe all scan data to "logger" to send it into the syslog system with the correct keyword.
I run a few different clamscans via cron. Some once a day and others once a week. Just depends on how and what you want to scan. It is up to you on how you want to do this. There is no standard. Please read the man page to understand all possible uses.