Re: [clamav-users] PCI DSS - Configuring ClamAv Logs to be Retained for 12 Months

Sat, 25 Apr 2015 10:30:25 -0700 

Hi there,

On Sat, 25 Apr 2015, Dale Carter wrote:


In order for ClamAv to be considered PCI Compliant the logs need to
be kept for 12 months, preferably on a remote server.

How do I configure logs to be kept for this long or is there a way
to do it using rsyslog to a remote server for ClamAV

If anyone has configured these settings before, it would be a big help.


You need to tell us a bit more.  You haven't told us what version of
ClamAV you're using and you haven't told us what operating system(s)
you're using either.

If you're running some flavour of Unix then perhaps you're using
logrotate and syslogd.  If you're using logrotate it's trivial to
change the rotation interval (e.g. daily, weekly, monthly) and the
length of time that logs are kept.  Look in /etc/logrotate.conf if you
have such a file on the machine that's running ClamAV, and possibly
also at files in in /etc/logrotate.d/ if you have such a directory.
All the configuration files are plain text and you can edit them with
any text editor.  They're self-explanatory.

Here's a sample of one of the logrotate configuration files on one of
my mail servers:
root@mail4:~# cat /etc/logrotate.d/mail # mail4:/etc/logrotate.d/mail 
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/mail.milter-regex
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/cron.log
/var/log/debug
/var/log/messages
/var/log/dmesg
{
        monthly
        rotate 600
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
}
# EOF: /etc/logrotate.d/mail

The following should help with logging remotely with syslogd:

http://unixhelp.ed.ac.uk/CGI/man-cgi?syslog.conf+5

It's less self-explanatory but you can find some examples in that man
page, and many more elsewhere on the 'net.

As with many daemons, you need to restart syslogd or send it a SIGHUP
to get it to read a changed configuration.  More details here:

http://unixhelp.ed.ac.uk/CGI/man-cgi?syslogd+8

Make safe copies of any files that you change before you change them.
Sometimes people break things and it's easier to get back to square 1
if you have the old configuration files. :)

If you're running Windows, now might be a good time to change. :)

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to