[rsyslog-notify] Forum Thread: [Help] incorrect facility - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Mon Apr 18 10:26:04 CEST 2016 

User: flaco 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26494#p26494

Message: 
----------
Hello,

 I have installed clamav and rsyslog on RHEL7 with latest rsyslog.
I run this config of Clamav 0.99.1:

[code:3ddppbjc]LogSyslog yes
LogFacility LOG_LOCAL1[/code:3ddppbjc]

but clamd logs also on [b:3ddppbjc]daemon [/b:3ddppbjc] facility. In
particular, [b:3ddppbjc]LibClamAV[/b:3ddppbjc] logs ONLY on daemon
facility:

[code:3ddppbjc]daemon.info: Apr  8 10:52:01 av-01
clamd[554]: LibClamAV Warning: Partial message received
from MUA/MTA - message cannot be scanned
daemon.info: Apr  8 10:52:03 av-01 clamd[554]:
LibClamAV Warning: Partial message received from MUA/MTA - message
cannot be scanned
daemon.info: Apr  8 10:52:04 av-01 clamd[554]:
LibClamAV Warning: Partial message received from MUA/MTA - message
cannot be scanned
daemon.info: Apr  8 10:52:05 av-01 clamd[554]:
instream(158.102.109.69 at 52270):
Heuristics.Phishing.Email.SpoofedDomain FOUND
daemon.info: Apr  8 10:52:06 av-01 clamd[554]:
LibClamAV Warning: Partial message received from MUA/MTA - message
cannot be scanned
daemon.info: Apr  8 10:52:19 av-01 clamd[554]:
LibClamAV Warning: cli_tnef: file truncated, returning CLEAN
daemon.info: Apr  8 10:52:42 av-01 clamd[554]:
instream(158.102.109.68 at 52593):
Heuristics.Phishing.Email.SpoofedDomain FOUND
daemon.info: Apr  8 10:52:42 av-01 clamd[554]:
instream(158.102.109.84 at 52999):
Bofhland.Cracked.url.2587968.UNOFFICIAL FOUND
daemon.info: Apr  8 10:52:42 av-01 clamd[554]:
instream(158.102.109.84 at 52999):
Bofhland.Cracked.url.2587967.UNOFFICIAL FOUND
[/code:3ddppbjc]
rsyslogd 8.17.0, compiled with:
[code:3ddppbjc]        PLATFORM:                              
x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              No
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64[/code:3ddppbjc]

Rsyslog rule is:
[code:3ddppbjc]if ( $syslogfacility-text == 'local1' ) then {
        action( type="omrelp"
                name="maillogQueue"
                target="10.102.116.3"
                port="6666"
                queue.filename="maillog"
                queue.type="LinkedList"
                queue.saveonshutdown="on"
                queue.maxdiskspace="25g"
                action.resumeRetryCount="-1" )[/code:3ddppbjc]

omrelp is incidental, the miscategorization occurs also with other action
types.
I opened a clamav BUG, but they ensure to send all messages to the
configured LogFacility. So I would ask if you have any idea why I see that
messages in daemon facility instead of local1 facility.

Thank you very much for every hint.
Marco

More information about the rsyslog-notify mailing list