[clamav-users] PCI DSS - Configuring ClamAv Logs to be Retained for 12 Months

G.W. Haywood clamav at jubileegroup.co.uk
Sat Apr 25 17:29:51 UTC 2015 

Hi there,

On Sat, 25 Apr 2015, Dale Carter wrote:

> In order for ClamAv to be considered PCI Compliant the logs need to
> be kept for 12 months, preferably on a remote server.
> 
> How do I configure logs to be kept for this long or is there a way
> to do it using rsyslog to a remote server for ClamAV
> 
> If anyone has configured these settings before, it would be a big help.

You need to tell us a bit more.  You haven't told us what version of
ClamAV you're using and you haven't told us what operating system(s)
you're using either.

If you're running some flavour of Unix then perhaps you're using
logrotate and syslogd.  If you're using logrotate it's trivial to
change the rotation interval (e.g. daily, weekly, monthly) and the
length of time that logs are kept.  Look in /etc/logrotate.conf if you
have such a file on the machine that's running ClamAV, and possibly
also at files in in /etc/logrotate.d/ if you have such a directory.
All the configuration files are plain text and you can edit them with
any text editor.  They're self-explanatory.

Here's a sample of one of the logrotate configuration files on one of
my mail servers:

root at mail4:~# cat /etc/logrotate.d/mail 
# mail4:/etc/logrotate.d/mail
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/mail.milter-regex
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/cron.log
/var/log/debug
/var/log/messages
/var/log/dmesg
{
         monthly
         rotate 600
         missingok
         notifempty
         compress
         delaycompress
         sharedscripts
}
# EOF: /etc/logrotate.d/mail

The following should help with logging remotely with syslogd:

http://unixhelp.ed.ac.uk/CGI/man-cgi?syslog.conf+5

It's less self-explanatory but you can find some examples in that man
page, and many more elsewhere on the 'net.

As with many daemons, you need to restart syslogd or send it a SIGHUP
to get it to read a changed configuration.  More details here:

http://unixhelp.ed.ac.uk/CGI/man-cgi?syslogd+8

Make safe copies of any files that you change before you change them.
Sometimes people break things and it's easier to get back to square 1
if you have the old configuration files. :)

If you're running Windows, now might be a good time to change. :)

-- 

73,
Ged.

More information about the clamav-users mailing list