[Sorry for the top-posting; Outlook] That all sounds helpful, but unfortunately there are no socket or service files (other than /usr/lib/systemd/system/[email protected], for which I have a clamd@scan service). None of the RPM scripts mention anything about sockets. I thought it might all be down to logrotate at the end of the day, so I've changed the restart line to a reload line (will that close and reopen any log files?), but it seems something else odd is going on given that "/etc/logrotate.d/clamd" file contains
create 644 root root and all of my /var/log/clamd.scan files are owned by clamscan:clamscan...? So obviously when I run "logrotate -f /etc/logrotate.d/clamd" the resulting new /var/log/clamd.scan is owned by root:root which obviously means clamd can't write to it until I manually change the ownership. I don't understand how that's happening. So now I have two problems (-: Ben -- Servers and Storage Team, UIS, University of Cambridge -----Original Message----- From: Kris Deugau <[email protected]> Sent: 02 June 2025 22:01 To: ClamAV users ML <[email protected]> Cc: Ben Argyle <[email protected]> Subject: Re: [clamav-users] ClamAV daemon restarts via/through systemd Ben Argyle via clamav-users wrote: > We're running ClamAV on RHEL 8 from EPEL 8: > > clamd-1.0.8-1.el8.x86_64 > clamav-freshclam-1.0.8-1.el8.x86_64 > clamav-1.0.8-1.el8.x86_64 > > I know it's old, but that's what we've got to work with. Anyway, we're > seeing an issue where all of our clamd@scan daemons are restarting because of > systemd, sometimes multiple times a day: > > # journalctl -u clamd@scan | grep systemd > [...] > Jan 01 03:08:04 cstestapp1 systemd[1]: Stopping clamd scanner (scan) daemon... > Jan 01 03:08:05 cstestapp1 systemd[1]: [email protected]: Succeeded. [snip] > It seems likely that the "01" restarts are due to logrotate: > > /var/log/clamd.scan { > create 644 root root > monthly > compress > missingok > postrotate > systemctl restart clamd@scan >/dev/null 2>&1 || true > endscript > } > > But we can't work out what could be causing all of the other ones. We've > probably ruled out OOM issues (nothing in /var/log/messages or 'dmesg'). Any > ideas what else I can look for, or what could be causing them? Based on the hassles I had building a custom package for use here, I would guess systemd "socket activation", which is inexplicably enabled at least in the Debian stock packages. clamd is very much a Very Bad use case for socket activation. It's been a while since I piloted a RPM-based distro, but IIRC "rpm -ql clamd" should tell you what files got installed. "rpm -q --scripts clamd" should show any pre/post-install scripts. Look for .service and .sock(et?) files under (/usr)/lib/systemd/system. (No idea which variation(s) might show up on RHEL.) "systemctl edit clamd.[service|socket]" should also at least let you see what's configured, even if you can't find the original .service or .socket definitions. -kgd _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
