Getting Data In

ClamAV 'Last Scanned' and 'Definition Date' not populating

jcanoy24
New Member

Good morning everyone, first time poster and very much a novice Splunk user.

My colleague is currently having an issue with our cyber team's dashboards not populating with ClamAV's Last Scanned and definition date properties. Currently, we're implementing  a temporary solution for having the definition dates populate properly, by manually setting the permissions to '644' on main.cvd, daily.cvd, and bytecode.cvd, and I think also for the database, via Ansible ad-hoc command. Is this something I can fix my modifying the inputs.conf file? If so, what properties would I need to add? 

For the 'Last Scanned' problem, Splunk simply shows up with 'Not Found'. I'm unsure of how to address this one, so any starters would be great.

I should add, this Splunk Enterprise instance is on an air-gapped environment. 

Thank you all in advance

 

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...