{"id":13730,"date":"2022-08-27T15:30:32","date_gmt":"2022-08-27T12:30:32","guid":{"rendered":"https:\/\/kifarunix.com\/?p=13730"},"modified":"2024-03-09T20:58:34","modified_gmt":"2024-03-09T17:58:34","slug":"visualize-clamav-scan-logs-on-elk-stack-kibana","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/visualize-clamav-scan-logs-on-elk-stack-kibana\/","title":{"rendered":"Visualize ClamAV Scan Logs on ELK Stack Kibana"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1030\" height=\"578\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk.png\" alt=\"Process and Visualize ModSecurity Logs on ELK Stack\" class=\"wp-image-13745\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk.png 1030w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk-768x431.png 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk-150x84.png 150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk-300x168.png 300w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk-696x391.png 696w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk-748x420.png 748w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/figure>\n\n\n\n<p>In this tutorial, you will learn how to visualize ClamAV scan logs on ELK stack Kibana. <a href=\"https:\/\/docs.clamav.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">ClamAV<\/a> is an opensource antivirus engine for detecting trojans, viruses, malware &amp; other malicious threats. ELK on the other hand is a combination of opensource tools that can be used to collect, parse and visualize various system logs.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#visualizing-clam-av-scan-logs-on-elk-stack-kibana\">Visualizing ClamAV Scan Logs on ELK Stack Kibana<\/a><ul><li><a href=\"#install-and-configure-elk-stack\">Install and Configure ELK Stack<\/a><\/li><li><a href=\"#install-clam-av-on-your-linux-system\">Install ClamAV on your Linux System<\/a><\/li><li><a href=\"#configure-clam-av-to-write-scan-results-to-syslog\">Configure ClamAV to Write Scan Results to Syslog<\/a><\/li><li><a href=\"#create-logstash-grok-patterns-to-process-clam-av-logs\">Create Logstash Grok Patterns to Process ClamAV Logs<\/a><\/li><li><a href=\"#configure-logstash-to-process-clam-av-logs\">Configure Logstash to Process ClamAV Logs<\/a><\/li><li><a href=\"#running-logstash\">Running Logstash<\/a><\/li><li><a href=\"#install-filebeat-and-collect-clamscan-logs\">Install Filebeat and Collect Clamscan Logs<\/a><\/li><li><a href=\"#visualizing-clam-av-scan-logs-on-elk-stack-kibana-1\">Visualizing ClamAV Scan Logs on ELK Stack Kibana<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"visualizing-clam-av-scan-logs-on-elk-stack-kibana\">Visualizing ClamAV Scan Logs on ELK Stack Kibana<\/h2>\n\n\n\n<p>Well, I have been scouring through the Internet lately trying to find tutorials on how to visualize ClamAV logs on Kibana and I hardly find any useful information. As such, I decided to find away out myself and what I achieved so far is what is presented in this guide.<\/p>\n\n\n\n<p>Thus, NOTE that this is NOT an official tutorial on visualizing ClamAV scan logs on ELK stack Kibana but rather my own way of trying to ensure that I get ClamAV scan logs on the Kibana for visualization whenever the scan job is executed.<\/p>\n\n\n\n<p>To proceed;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-and-configure-elk-stack\">Install and Configure ELK Stack<\/h3>\n\n\n\n<p>You of course need to have ELK stack server already installed and up and running.<\/p>\n\n\n\n<p>You can check our various tutorial on how to setup ELK stack;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/?s=install+elk\" target=\"_blank\" rel=\"noreferrer noopener\">How to install and Configure ELK Stack on Linux<\/a><\/p>\n\n\n\n<p>Ensure that Logstash is installed!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-clam-av-on-your-linux-system\">Install ClamAV on your Linux System<\/h3>\n\n\n\n<p>Next, on the system where you want to be scanned, install and configure ClamAV to scan your respective directories.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/?s=install+clamav\" target=\"_blank\" rel=\"noreferrer noopener\">Install and configure ClamAV on Linux<\/a><\/p>\n\n\n\n<p>To ensure that your system is scanned at specific periods of time, consider setting the cron jobs.<\/p>\n\n\n\n<p>In my workstation, the cron job below is used;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>0 11 * * * \/home\/scripts\/clamscan.sh<\/code><\/pre>\n\n\n\n<p>The script is execute every day at 11:00 AM.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-clam-av-to-write-scan-results-to-syslog\">Configure ClamAV to Write Scan Results to Syslog<\/h3>\n\n\n\n<p>ClamAV, clamscan command line tool can be configured to log the scan results into a file using the <strong><code>-l FILE,<\/code> <\/strong>or<strong>  <code>--log=FILE<\/code><\/strong> options.<\/p>\n\n\n\n<p>However, the output of the report is always multiline.<\/p>\n\n\n\n<p>This is a sample default report;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\/home\/kifarunix\/Downloads\/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND\n\/home\/kifarunix\/Downloads\/wildfire-test-pe-file.exe: Win.Dropper.Bebloh-9954185-0 FOUND\n\n----------- SCAN SUMMARY -----------\nKnown viruses: 8630735\nEngine version: 0.103.6\nScanned directories: 63\nScanned files: 370\nInfected files: 4\nData scanned: 74.59 MB\nData read: 35.62 MB (ratio 2.09:1)\nTime: 32.894 sec (0 m 32 s)\nStart Date: 2022:08:26 14:09:56\nEnd Date:   2022:08:26 14:10:29\n<\/code><\/pre>\n\n\n\n<p>In order for us to be able to process and parse this kind of log, we used this command below in our script;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/home\/scripts\/clamscan.sh<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>cpulimit -z -e clamscan -l 20 &amp;\nclamscan -ir \/home\/kifarunix\/ | grep -vE \"^$|^-\" | sed 's\/ FOUND\/\/' | tr \"\\n\" \" \" | sed 's\/$\/\\n\/' | logger -t clamscan -p local0.info\n<\/code><\/pre>\n\n\n\n<p>To demystify this script\/command;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>cpulimit -z -e clamscan -l 20 &amp;<\/code><\/strong>: Clamscan is a CPU intensive program. This part of the command basically launches the clamscan in the background and limit it to 20% CPU time. If the <code>cpulimit<\/code> command is not available, you can install it. cpulimit is the package name.<\/li>\n\n\n\n<li><strong><code>clamscan -ir \/home\/kifarunix\/<\/code><\/strong>: launches the clamscan and instructs it to recursively (<strong><code>-r<\/code><\/strong>) scan the home directory for the user kifarunix and print the infected files (<strong><code>-i<\/code><\/strong>) only to the report.<\/li>\n\n\n\n<li><strong><code>|<\/code><\/strong>: this is a pipe. it takes the output of previous command and pass it to the next command.<\/li>\n\n\n\n<li><strong><code>grep -vE \"^$|^-\"<\/code><\/strong>: Exclude empty lines (<strong>^$<\/strong>) and lines beginning with &#8211; (<strong>^-<\/strong>) from the report.<\/li>\n\n\n\n<li><strong><code>sed 's\/ FOUND\/\/'<\/code><\/strong>: Removes the keyword FOUND on from the report.<\/li>\n\n\n\n<li><strong><code>tr \"\\n\" \" \"<\/code><\/strong>: replaces new line with space to make a single line event.<\/li>\n\n\n\n<li><strong><code>sed 's\/$\/\\n\/'<\/code><\/strong>: Add new line break at the end of the report line.<\/li>\n\n\n\n<li><strong><code>logger -t clamscan -p local0.info<\/code><\/strong>: Send the report to message into syslog into facility <strong>local0<\/strong> and level <strong>info<\/strong>. It then tags the report as from clamscan program (<strong>-t clamscan<\/strong>). Replace the facility accordingly if local0 is already being used.<\/li>\n<\/ul>\n\n\n\n<p>Now, we need to send the Clamscan logs to a specific file, in our example is <strong><code>\/var\/log\/clamav\/clamscan.log<\/code><\/strong>.<\/p>\n\n\n\n<p>Therefore, we need to configure Rsyslog to send logs written to local0.info to \/var\/log\/clamav\/clamscan.log.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo -e \"local0.info\\t\\t\\t\/var\/log\/clamav\/clamscan.log\" &gt;&gt; \/etc\/rsyslog.conf<\/code><\/pre>\n\n\n\n<p>Check the Rsyslog syntax;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rsyslogd -N1<\/code><\/pre>\n\n\n\n<p>If no error, restart Rsyslog;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart rsyslog<\/code><\/pre>\n\n\n\n<p>The final Clamscan log file looks like this if infected files are found on the system;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Aug 27 05:26:00 debian10 clamscan: home\/kifarunix\/Downloads\/eicar.com.txt: Win.Test.EICAR_HDB-1 \/home\/kifarunix\/Downloads\/fileb.txt: Eicar-Signature \/home\/kifarunix\/Downloads\/eicar_com.zip: Win.Test.EICAR_HDB-1 \/home\/kifarunix\/Downloads\/wildfire-test-pe-file.exe: Win.Dropper.Bebloh-9954185-0 Known viruses: 8630735 Engine version: 0.103.6 Scanned directories: 52 Scanned files: 83 Infected files: 4 Data scanned: 2.05 MB Data read: 1.34 MB (ratio 1.53:1) Time: 44.876 sec (0 m 44 s) Start Date: 2022:08:27 05:08:01 End Date:   2022:08:27 05:08:45\n<\/code><\/pre>\n\n\n\n<p>If no infected files are found on the system, the log will look like;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Aug 27 05:47:18 debian10 clamscan: Known viruses: 8630735 Engine version: 0.103.6 Scanned directories: 1 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 18.974 sec (0 m 18 s) Start Date: 2022:08:27 05:46:59 End Date:   2022:08:27 05:47:18\n<\/code><\/pre>\n\n\n\n<p>As you can see, the output has been converted into a single line event and in syslog format.<\/p>\n\n\n\n<p>This makes it easy to read the file using Filebeat and sent the output to Logstash for filtering.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-logstash-grok-patterns-to-process-clam-av-logs\">Create Logstash Grok Patterns to Process ClamAV Logs<\/h3>\n\n\n\n<p>Now that you have the ClamAV logs a single line per scan, you need to create Logstash grok pattern to process and extract various fields from the log.<\/p>\n\n\n\n<p>Here is our grok pattern that we used to parse ClamAV logs;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>%{SYSLOGTIMESTAMP}\\s%{IPORHOST}\\s%{PROG:program}:\\s+((?&lt;infected_files&gt;.+.|)(\\s+|))Known viruses:\\s+(?&lt;known_viruses&gt;\\d+)\\s+Engine version:\\s+(?&lt;engine_version&gt;\\S+)\\s+Scanned directories:\\s+(?&lt;scanned_directories&gt;\\d+)\\s+Scanned files:\\s+(?&lt;scanned_files&gt;\\d+)\\s+Infected files:\\s+(?&lt;infected_files_num&gt;\\d+)\\s+Data scanned:\\s+(?&lt;scanned_data_size&gt;\\S+.+)\\s+Data read:\\s+(?&lt;data_read_size&gt;\\S+.+)\\s+Time:\\s+(?&lt;scan_time&gt;\\S+.+)\\s+Start Date:\\s+(?&lt;scan_start_time&gt;%{YEAR}:%{MONTHNUM}:%{MONTHDAY}\\s+%{TIME})\\s+End Date:\\s+(?&lt;scan_end_time&gt;%{YEAR}:%{MONTHNUM}:%{MONTHDAY}\\s+%{TIME})\n<\/code><\/pre>\n\n\n\n<p>You can test the pattern using the online <a href=\"http:\/\/grokdebug.herokuapp.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Grok debugger<\/a>, or Kibana Grok debugger under <strong>Management &gt; Dev Tools &gt; Grok Debugger<\/strong>.<\/p>\n\n\n\n<p>The grok pattern captures both the ClamAV log when and when not it contains the infected files path.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1875\" height=\"807\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-logs-grok-pattern.png\" alt=\"Visualize ClamAV Scan Logs on ELK Stack Kibana\" class=\"wp-image-13737\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-logs-grok-pattern.png?v=1661601321 1875w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-logs-grok-pattern-768x331.png?v=1661601321 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-logs-grok-pattern-1536x661.png?v=1661601321 1536w\" sizes=\"(max-width: 1875px) 100vw, 1875px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-logstash-to-process-clam-av-logs\">Configure Logstash to Process ClamAV Logs<\/h3>\n\n\n\n<p>Once you have the pattern, you can configure Logstash to process these logs and sent it to Elasticsearch;<\/p>\n\n\n\n<p>Below is our sample configuration;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/logstash\/conf.d\/clamscan.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ninput {\n  beats {\n    port => 5044\n  }\n}\nfilter {\n    grok {\n      match => { \"message\" => \"%{SYSLOGTIMESTAMP}\\s%{IPORHOST}\\s%{PROG:program}:\\s+((?&lt;infected_files>.+.|)(\\s+|))Known viruses:\\s+(?&lt;known_viruses>\\d+)\\s+Engine version:\\s+(?&lt;engine_version>\\S+)\\s+Scanned directories:\\s+(?&lt;scanned_directories>\\d+)\\s+Scanned files:\\s+(?&lt;scanned_files>\\d+)\\s+Infected files:\\s+(?&lt;infected_files_num>\\d+)\\s+Data scanned:\\s+(?&lt;scanned_data_size>\\S+.+)\\s+Data read:\\s+(?&lt;data_read_size>\\S+.+)\\s+Time:\\s+(?&lt;scan_time>\\S+.+)\\s+Start Date:\\s+(?&lt;scan_start_time>%{YEAR}:%{MONTHNUM}:%{MONTHDAY}\\s+%{TIME})\\s+End Date:\\s+(?&lt;scan_end_time>%{YEAR}:%{MONTHNUM}:%{MONTHDAY}\\s+%{TIME})\" }\n    }\n    mutate {\n\tgsub => [\n\t  \"infected_files\", \" \/\", \"\n\/\"]\n\tremove_field => [ \"message\" ]\n    }\n}\noutput {\n   elasticsearch {\n     hosts => [\"192.168.58.22:9200\"]\n     index => \"clamscan-%{+YYYY.MM}\"\n   }\n  # stdout { codec => rubydebug }\n\n}\n<\/code><\/pre>\n\n\n\n<p>The Clamscan logs will be processed and written to <strong>clamscan-YYYY-MM index<\/strong> on Elasticsearch.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-logstash\">Running Logstash<\/h3>\n\n\n\n<p>Before you can start Logstash, ensure that the configuration syntax is okay. You can check the configuration using the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -u logstash \/usr\/share\/logstash\/bin\/logstash -f \/etc\/logstash\/conf.d\/clamscan.conf --path.settings \/etc\/logstash\/ -t<\/code><\/pre>\n\n\n\n<p>If all is good, you should see <strong>Configuration OK<\/strong> from the command output.<\/p>\n\n\n\n<p>You can also check our tutorial on how to debug Logstash;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-debug-logstash-grok-filters\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Debug Logstash Grok Filters<\/a><\/p>\n\n\n\n<p>Then start logstash;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now logstash<\/code><\/pre>\n\n\n\n<p>Confirm that Logstash is running by checking if the port is already opened;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -atlnp | grep :5044<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>LISTEN 0      4096                    *:5044            *:*    users:((\"java\",pid=2459,fd=112))<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-filebeat-and-collect-clamscan-logs\">Install Filebeat and Collect Clamscan Logs<\/h3>\n\n\n\n<p>You can check our various tutorials on how to install filebeat.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/?s=install+filebeat\" target=\"_blank\" rel=\"noreferrer noopener\">How to install filebeat on Linux systems<\/a><\/p>\n\n\n\n<p>Configure Filebeat to collect collect Clamscan logs.<\/p>\n\n\n\n<p>Remember on our scan script, we are logging the scan output in the file, <strong><code>\/var\/log\/clamav\/clamscan.log<\/code><\/strong>.<\/p>\n\n\n\n<p>Thus, below is our filebeat configuration;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/filebeat\/filebeat.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>filebeat.inputs:\n- type: filestream\n  enabled: true\n  <strong>paths:\n    - \/var\/log\/clamav\/clamscan.log<\/strong>\nfilebeat.config.modules:\n  path: ${path.config}\/modules.d\/*.yml\n  reload.enabled: false\nsetup.template.settings:\n  index.number_of_shards: 1\nsetup.kibana:\n<strong>output.logstash:\n  hosts: [\"192.168.58.22:5044\"]<\/strong>\nprocessors:\n  - add_host_metadata:\n      when.not.contains.tags: forwarded\n  - add_cloud_metadata: ~\n  - add_docker_metadata: ~\n  - add_kubernetes_metadata: ~\n<\/code><\/pre>\n\n\n\n<p>Test Filebeat configs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat test config<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Config OK<\/code><\/pre>\n\n\n\n<p>Test Filebeat Logstash output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat test output<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>logstash: 192.168.58.22:5044...\n  connection...\n    parse host... OK\n    dns lookup... OK\n    addresses: 192.168.58.22\n    dial up... OK\n  TLS... WARN secure connection disabled\n  talk to server... OK\n<\/code><\/pre>\n\n\n\n<p>You can now start Filebeat;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now filebeat<\/code><\/pre>\n\n\n\n<p>Initiate the ClamAV scans and proceed to check if the logs are received on ELK stack.<\/p>\n\n\n\n<p>Once the ClamAV has run, log will be written to clamscan-YYYY-MM index on Elasticsearch.<\/p>\n\n\n\n<p>You can confirm by navigating to <strong>Kibana UI &gt; Menu &gt; Management &gt; Stack Management &gt; Data &gt; Index Management<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1898\" height=\"774\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamscan-elasticsearch-index.png\" alt=\"Visualize ClamAV Scan Logs on ELK Stack Kibana\" class=\"wp-image-13738\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamscan-elasticsearch-index.png?v=1661601383 1898w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamscan-elasticsearch-index-768x313.png?v=1661601383 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamscan-elasticsearch-index-1536x626.png?v=1661601383 1536w\" sizes=\"(max-width: 1898px) 100vw, 1898px\" \/><\/figure>\n\n\n\n<p>If the index is available already, then you need to create the index pattern on Kibana.<\/p>\n\n\n\n<p>Thus;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to the <strong>Menu &gt; Management &gt; Stack Management &gt; Kibana &gt; Index Patterns<\/strong><\/li>\n\n\n\n<li>Create Index Pattern<\/li>\n\n\n\n<li>Enter the name of the index pattern, e.g <strong>clamscan-*<\/strong><\/li>\n\n\n\n<li>Select timestamp field: <strong>@timestamp<\/strong><\/li>\n\n\n\n<li>Create Index Pattern<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"visualizing-clam-av-scan-logs-on-elk-stack-kibana-1\">Visualizing ClamAV Scan Logs on ELK Stack Kibana<\/h3>\n\n\n\n<p>On Kibana Menu, navigate to <strong>Discover<\/strong> and select <strong>clamscan-*<\/strong> index to view Clamscan report.<\/p>\n\n\n\n<p>Adjust the timeframe appropriately.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1899\" height=\"868\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-clamscan-logs-on-kibana.png\" alt=\"Visualize ClamAV Scan Logs on ELK Stack Kibana\" class=\"wp-image-13739\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-clamscan-logs-on-kibana.png?v=1661601426 1899w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-clamscan-logs-on-kibana-768x351.png?v=1661601426 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-clamscan-logs-on-kibana-1536x702.png?v=1661601426 1536w\" sizes=\"(max-width: 1899px) 100vw, 1899px\" \/><\/figure>\n\n\n\n<p>Expanding some events to view more information;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/scan-events-details.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1916\" height=\"3151\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/scan-events-details.png\" alt=\"Visualize ClamAV Scan Logs on ELK Stack Kibana\" class=\"wp-image-13741\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/scan-events-details.png?v=1661601463 1916w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/scan-events-details-768x1263.png?v=1661601463 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/scan-events-details-934x1536.png?v=1661601463 934w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/scan-events-details-1245x2048.png?v=1661601463 1245w\" sizes=\"(max-width: 1916px) 100vw, 1916px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Filtering Events with Infected files found;<\/p>\n\n\n\n<p>Use the filter: <strong><code>infected_files_num is not 0<\/code><\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1908\" height=\"612\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-found.png\" alt=\"\" class=\"wp-image-13742\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-found.png?v=1661601502 1908w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-found-768x246.png?v=1661601502 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-found-1536x493.png?v=1661601502 1536w\" sizes=\"(max-width: 1908px) 100vw, 1908px\" \/><\/figure>\n\n\n\n<p>Event details;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1916\" height=\"2725\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details.png\" alt=\"Visualize ClamAV Scan Logs on ELK Stack Kibana\" class=\"wp-image-13743\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details.png?v=1661601538 1916w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details-768x1092.png?v=1661601538 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details-1080x1536.png?v=1661601538 1080w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details-1440x2048.png?v=1661601538 1440w\" sizes=\"(max-width: 1916px) 100vw, 1916px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>And that is all on visualizing ClamAV scan logs on ELK stack Kibana.<\/p>\n\n\n\n<p>If you want, you can play around with the formatting of the logs to make it appear the way you want. Otherwise, that is it from us for now.<\/p>\n\n\n\n<p>Other Tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/process-and-visualize-modsecurity-logs-on-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Process and Visualize ModSecurity Logs on ELK Stack<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/visualize-wordpress-user-activity-logs-on-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Visualize WordPress User Activity Logs on ELK Stack<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to visualize ClamAV scan logs on ELK stack Kibana. ClamAV is an opensource antivirus engine for detecting trojans,<\/p>\n","protected":false},"author":3,"featured_media":13745,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,34],"tags":[5697,5696,5693,5694,5695,5698,5692],"class_list":["post-13730","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","category-security","tag-clamav-elk","tag-clamav-kibana","tag-clamscan-log-to-syslog","tag-clamscan-logs","tag-clamscan-logstash","tag-logstash-clamscan","tag-visualize-clamav-scan-logs-on-elk-stack-kibana","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13730"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=13730"}],"version-history":[{"count":14,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13730\/revisions"}],"predecessor-version":[{"id":20603,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13730\/revisions\/20603"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/13745"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=13730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=13730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=13730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}