[Pkg-clamav-devel] Bug#904013: Bug#904013: clamav-freshclam: it breaks also logcheck integration

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Sun Nov 1 12:30:43 GMT 2020 

On 2020-08-20 20:28:28 [+0200], Luca Arzeni wrote:
> Package: clamav-freshclam
> Version: 0.102.4+dfsg-0+deb10u1
> Followup-For: Bug #904013
> 
> Dear Maintainer,
> logging the timestamp inside the message break also the logcheck rules.
> For example the first logcheck (ignore.d.server) rule states:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: ClamAV update process started at .*$
> 
> But the message written in the logs is:
> 
> Aug 20 18:26:53 mail freshclam[15525]: Thu Aug 20 18:26:53 2020 -> ClamAV update process started at Thu Aug 20 18:26:53 2020
> 
> As you can see, the timestamp written after the process id is NOT matched by the logcheck rule.
> 
> You can solve the issue by altering all the rules, inserting a regexp to match the timestamp as follows:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: \w{3} \w{3} [ :0-9]{16} -> ClamAV update process started at .*$
> 
> But the best thing, imho is to avoid printing the timestamp inside the message, since rsyslog already writes the timestamp at the beginning of the log record.

I need to reevaluate the whole systemd integration we have right now.
We revert parts if it for different reasons. 

There are two things you have to consider:
- on a non-systemd system clamav will log directly to
  /var/log/clamav/$file.

- on a systemd system clamav logs additionally to STDOUT. This
  information is fed into syslog and ends in `daemon.log' with the
  additional timestamps. I log file is probably enough.
  The output is also visible in systemd's journal and it looks like this
  yet another copy.
  Starting with Bullseye systemd's journal is kind of permanent storage
  (while right now it is thrown away on reboot). Ofcourse it can still
  be disabled and people might use their favorite `syslog' daemon but I
  think this part needs reworking.

Since 7.5.0 logwatch can use journalctl. I'm leaning towards dropping
the custom logfiles in the systemd case and using the default journal
option and systemd handling it.

Any opinions?

> Thanks,
> Luca

Sebastian

More information about the Pkg-clamav-devel mailing list