clamd monitoring
list Kevin Hanrahan
Hi all, I am having trouble monitoring clamAV. As in the docs, I put "clamd" in the bb-hosts file for my monitored host but I get the following result: Service clamd on server.domain.com is not OK : Service unavailable (No route to host) The server is reachable so there really IS a route to the host. any ideas? kh ----------------------------------------- Note: The information contained in this e-mail and in any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. The recipient should check this e-mail and any attachments for the presence of viruses. Sender accepts no liability for any damages caused by any virus transmitted by this e-mail. If you have received this e-mail in error, please notify us immediately by replying to the message and delete the e-mail from your computer. Elavon (formerly NOVA Information Systems)
list Bill Arlofski
▸
Hanrahan, Kevin wrote:
Hi all, I am having trouble monitoring clamAV. As in the docs, I put "clamd" in the bb-hosts file for my monitored host but I get the following result: Service clamd on server.domain.com is not OK : Service unavailable (No route to host) The server is reachable so there really IS a route to the host. any ideas? kh
Just a guess, but I bet that clamd on the server is either listening on 127.0.0.1:3310/TCP or only on a local socket, either of which would render it it inaccessible from a remote monitoring server. Usually this is the desired configuration since then only the mail server itself can "use" the clamd service. From the /etc/clamd.conf file: --[snip]-- # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no #TCPAddr 127.0.0.1 --[snip]-- You'll have to find your clamd config file and tell it to bind to all IP addresses by commenting out that TCPAddr line and then either secure it with iptables on the local host or recompile it with tcpwrappers support. Oh and check this option too --> "LocalSocket". It may be enabled on your installation: --[snip]-- # The daemon works in a local OR a network mode. Due to security reasons we # recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) # LocalSocket /var/run/clamav/clamav.sock --[snip]-- -- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ * Stop the NSA from illegally eavesdropping on your personal email * Learn about PGP and start encrypting your email today http://gnupg.org or http://www.pgp.com
list Jon Boede
While we're on the topic... It seems that the clamd monitoring just checks to see if clamd is answering the phone. Is there a way to check that clamd is, well, happy as a clam? This is to say, up to date, hasn't found anything, etc.? Thanks, Jon
▸
Bill Arlofski wrote:Hanrahan, Kevin wrote:Hi all, I am having trouble monitoring clamAV. As in the docs, I put "clamd" in the bb-hosts file for my monitored host but I get the following result: Service clamd on server.domain.com is not OK : Service unavailable (No route to host) The server is reachable so there really IS a route to the host. any ideas? khJust a guess, but I bet that clamd on the server is either listening on 127.0.0.1:3310/TCP or only on a local socket, either of which would render it it inaccessible from a remote monitoring server. Usually this is the desired configuration since then only the mail server itself can "use" the clamd service. From the /etc/clamd.conf file: --[snip]-- # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no #TCPAddr 127.0.0.1 --[snip]-- You'll have to find your clamd config file and tell it to bind to all IP addresses by commenting out that TCPAddr line and then either secure it with iptables on the local host or recompile it with tcpwrappers support. Oh and check this option too --> "LocalSocket". It may be enabled on your installation: --[snip]-- # The daemon works in a local OR a network mode. Due to security reasons we # recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) # LocalSocket /var/run/clamav/clamav.sock --[snip]-- -- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ * Stop the NSA from illegally eavesdropping on your personal email * Learn about PGP and start encrypting your email today http://gnupg.org or http://www.pgp.com
list Greg L Hubbard
This would probably be best done as a client-side test, launched externally from the standard Hobbit client functions. It is pretty easy to integrate custom tests with the Hobbit infrastructure. GLH
▸
From: Jon Boede [mailto:user-68c969ba1bfa@xymon.invalid] Sent: Thursday, October 23, 2008 9:44 AM To: user-ae9b8668bcde@xymon.invalid Subject: Re: [hobbit] clamd monitoring While we're on the topic... It seems that the clamd monitoring just checks to see if clamd is answering the phone. Is there a way to check that clamd is, well, happy as a clam? This is to say, up to date, hasn't found anything, etc.? Thanks, Jon Bill Arlofski wrote: Hanrahan, Kevin wrote: Hi all, I am having trouble monitoring clamAV. As in the docs, I put "clamd" in the bb-hosts file for my monitored host but I get the following result: Service clamd on server.domain.com is not OK : Service unavailable (No route to host) The server is reachable so there really IS a route to the host. any ideas? kh Just a guess, but I bet that clamd on the server is either listening on 127.0.0.1:3310/TCP or only on a local socket, either of which would render it it inaccessible from a remote monitoring server. Usually this is the desired configuration since then only the mail server itself can "use" the clamd service. From the /etc/clamd.conf file: --[snip]-- # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no #TCPAddr 127.0.0.1 --[snip]-- You'll have to find your clamd config file and tell it to bind to all IP addresses by commenting out that TCPAddr line and then either secure it with iptables on the local host or recompile it with tcpwrappers support. Oh and check this option too --> "LocalSocket". It may be enabled on your installation: --[snip]-- # The daemon works in a local OR a network mode. Due to security reasons we # recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) # LocalSocket /var/run/clamav/clamav.sock --[snip]-- -- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ * Stop the NSA from illegally eavesdropping on your personal email * Learn about PGP and start encrypting your email today http://gnupg.org or http://www.pgp.com