Can't open /var/log/clamd.virtualmin in append mode

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 17:33 Pro Licensee

Hi, I am unable to start clamd. I get:

Can't open /var/log/clamd.virtualmin in append mode

I have checked the log file and the permissions are :

943806 -rwxrwxrwx 1 nobody root 1058712 Sep 7 17:13 clamd.virtualmin

which seem correct?

please advise.

Status: 
Closed (fixed)

Comments

Submitted by andreychek on Wed, 09/07/2011 - 17:38

Howdy -- how are you attempting to start Clamd, are you using the init script?

Also, what does your disk space look like -- you can determine that with "df -h".

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 17:49 Pro Licensee

yes, starting with /etc/init.d/clamd that shows:

!/bin/sh

#

Startup script for the Clam AntiVirus Daemon

#

chkconfig: - 61 39 description: Clam AntiVirus Daemon is a TCP/IP or socket protocol \ server. processname: clamd pidfile: /var/run/clamav/clamd.pid config: /etc/clamav.conf Source function library.

. /etc/rc.d/init.d/functions

Source networking configuration.

. /etc/sysconfig/network

[ -x /usr/sbin/clamd ] || exit 0

See how we were called.

case "$1" in start) echo -n "Starting Clam AntiVirus Daemon: " daemon clamd RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamd "/etc/init.d/clamd" #

Startup script for the Clam AntiVirus Daemon

#

chkconfig: - 61 39 description: Clam AntiVirus Daemon is a TCP/IP or socket protocol \ server. processname: clamd pidfile: /var/run/clamav/clamd.pid config: /etc/clamav.conf Source function library.

. /etc/rc.d/init.d/functions

Source networking configuration.

. /etc/sysconfig/network

[ -x /usr/sbin/clamd ] || exit 0

See how we were called.

case "$1" in start) echo -n "Starting Clam AntiVirus Daemon: " daemon clamd RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamd ;; stop) echo -n "Stopping Clam AntiVirus Daemon: " killproc clamd rm -f /var/clamav/clamd.socket rm -f /var/run/clamav/clamav.pid RETVAL=$? echo

heres the fix... we gotta remove the stale files on restart

    [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamd
    ;;

status) status clamd RETVAL=$? ;; restart|reload) $0 stop $0 start RETVAL=$? ;; condrestart) [ -e /var/lock/subsys/clamd ] && restart RETVAL=$? ;; *) echo "Usage: clamd {start|stop|status|restart|reload|condrestart}" exit 1

no problems with disk space - there is heaps !

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 19:10 Pro Licensee

update on this issue:

when i comment out the logfile line in /etc/clamd.conf

so it does NOT log - then the daemon starts ok.

what could be wrong please -as I want to log.

Submitted by JamieCameron on Wed, 09/07/2011 - 19:30

This could be a permissions issue .. what is the output from the following commands :

ls -ld /var/log
lsattr /var/log/clamd.virtualmin

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 20:09 Pro Licensee

[root@hosting opt]# ls -ld /var/log drwxrws--- 16 apache apache 4096 Sep 8 04:03 /var/log

[root@hosting opt]# lsattr /var/log/clamd.virtualmin ------------- /var/log/clamd.virtualmin

Submitted by andreychek on Wed, 09/07/2011 - 20:15

Aha, I think that's the problem! That shows your /var/log directory as being owned by apache/apache, and not visible to "other".

I would run these commands:

chown root:root /var/log
chmod 755 /var/log

After that, are you able to enable logging in ClamAV?

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 21:04 Pro Licensee

perfect ! thank you. all fixed.

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 21:05 Pro Licensee

oh.. almost: freshclam shows:

ERROR: chdir_tmp: Can't create directory ./clamav-97e89a7e09814a6197a0058a01c19334 WARNING: Incremental update failed, trying to download daily.cvd ERROR: getfile: Can't create new file /var/lib/clamav/clamav-6f260b694e75547a03a17171d7cbfbda in /var/lib/clamav Hint: The database directory must be writable for UID 104 or GID 105 ERROR: Can't download daily.cvd from db.us.clamav.net

do I need now to change permission somewhere else now please?

Submitted by andreychek on Wed, 09/07/2011 - 21:10

Hmm, it's unusual that you'd run into all that. It sounds like the permissions on "/var/lib/clamav" are incorrect.

What do you get if you run:

ls -ld /var/lib/clamav

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 21:11 Pro Licensee

yep, probably me stuffing around trying to fix it yesterday !!!

[root@hosting opt]# ls -ld /var/lib/clamav drwxr-xr-x 5 clam clam 4096 Jul 27 17:54 /var/lib/clamav

Submitted by andreychek on Wed, 09/07/2011 - 21:19

What do these two commands output:

id clam
id clamav

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 21:28 Pro Licensee

[root@hosting usr]# id clam uid=105(clam) gid=106(clam) groups=106(clam)

[root@hosting usr]# id clamav uid=104(clamav) gid=105(clamav) groups=105(clamav)

Submitted by andreychek on Wed, 09/07/2011 - 21:35

Okay, it looks like you can fix this issue by running this command:

chown clamav:clamav /var/lib/clamav

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 21:36 Pro Licensee

yep, working now - many thanks !

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 21:36 Pro Licensee

hmm, nearly (sorry).. one more error now:

Database updated (1035494 signatures) from db.us.clamav.net (IP: 194.8.197.22) WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock connect(): No such file or directory

Submitted by andreychek on Wed, 09/07/2011 - 21:43

The default clamd.sock location on Virtualmin's ClamAV should be "/var/run/clamd.virtualmin/clamd.sock", and not what it appears to be trying above, "/var/run/clamav/clamd.sock".

Do you see in the config file where it's set to "/var/run/clamav/clamd.sock"? You may want to update that to point to "/var/run/clamd.virtualmin/clamd.sock".

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 22:03 Pro Licensee

ok, I have changed that and reloaded clam and I think it is ok, but I am getting:

[root@hosting downloads]# freshclam ClamAV update process started at Thu Sep 8 03:02:03 2011 main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven) WARNING: Current functionality level = 29, recommended = 53 Please check if ClamAV tools are linked against the proper version of libclamav DON'T PANIC! Read http://www.clamav.net/support/faq daily.cld is up to date (version: 13581, sigs: 189286, f-level: 60, builder: guitar) WARNING: Current functionality level = 29, recommended = 60 Please check if ClamAV tools are linked against the proper version of libclamav DON'T PANIC! Read http://www.clamav.net/support/faq

is that ok?

Submitted by andreychek on Wed, 09/07/2011 - 22:11

What output do you get if you run this command:

rpm -qa | grep clam

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 22:18 Pro Licensee

[root@hosting share]# rpm -qa | grep clam clamd-0.97.2-3.el5 clamav-0.97.2-3.el5 clamav-db-0.97.2-3.el5

Submitted by andreychek on Wed, 09/07/2011 - 22:25

It looks like you may have a non-standard version of ClamAV installed there.

Do you recall if any third party modules were installed recently, or if a new version of ClamAV was put on there?

I'm curious what this outputs:

ls /etc/yum.repos.d/

Submitted by steve@itgroup.net.au on Wed, 09/07/2011 - 22:34 Pro Licensee

oh, you know how it is... you start to 'fix' something and a big hole starts getting bigger..

[root@hosting share]# ls /etc/yum.repos.d/ CentOS-Base.repo CentOS-Media.repo epel.repo ovd.repo vir.old1 virtualmin-bleed.repo CentOS-Debuginfo.repo CentOS-Vault.repo epel-testing.repo remi.repo vir.old11 virtualmin.repo

so, if you advise the correct repos, I guess I can delete those other ones and what - uninstall/reinstall clam or will that not work?

Submitted by andreychek on Thu, 09/08/2011 - 11:24

Well, the only repositories I can vouch for are the CentOS repositories that are enabled by default, and the Virtualmin repository.

Anything else, and there's a risk something could go awry :-)

It's not that something is wrong with the other repositories, it's that packages from multiple repositories can start to conflict, and you can also end up with unusual combinations of software versions.

So, the only repositories enabled on CentOS by default are CentOS-Base.repo and CentOS-Media.repo. And during the Virtualmin installation, it sets up virtualmin.repo.

I think my recommendation to resolve this would be:

  1. Disable all the repositories but CentOS-Base.repo, CentOS-Media.repo, and virtualmin.repo.

  2. Uninstall your current ClamAV packages

  3. Install the ClamAV packages from the Virtualmin repository

  4. If you require a particular package from a non-default repository, that's okay -- but rather than enabling the entire repository, just pull in the one package you need from it. You can use the "includepkgs=" line in the .repo file to specify what packages should be used from that repository.

Submitted by steve@itgroup.net.au on Thu, 09/08/2011 - 16:03 Pro Licensee

hmm, did exactly what you said, now it is totally stuffed !

I can't even start clam now.

when i try to start clam I get:

starting clamd.virtualmin: /bin/bash: clamd.virtualmin: command not found

when I try fresh clam I get:

[root@hosting init.d]# freshclam ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

please advise

Submitted by steve@itgroup.net.au on Thu, 09/08/2011 - 17:42 Pro Licensee

I have removed clamav, rebooted, removed all Repos except the ones you recommend, reinstalled Clam av, but still will not start (as previous post). Please advise.

Submitted by JamieCameron on Thu, 09/08/2011 - 17:54

Try this :

  1. Remove all clamav packages
  2. Delete all *clam* files under /etc
  3. Delete /etc/init.d/clam* and /var/log/clamav
  4. Re-install clamav packages
  5. Re-enable Clamd in Virtualmin at Email Messages -> Spam and Virus Scanning -> Enable ClamAV Server Scanner

Submitted by steve@itgroup.net.au on Thu, 09/08/2011 - 19:16 Pro Licensee

Ok, have done all that. Now I don't have a clamd in the init.d directory - just a clamd-wrapper and it will not start.

[root@hosting init.d]# ./clamd-wrapper bash: ./clamd-wrapper: Permission denied [root@hosting init.d]# ls acpid clamd-wrapper dovecot ibmasm lm_sensors mysqld ntpd rdisc smartd wpa_supplicant amavis conman dund ip6tables lookup-domain named oddjobd readahead_early snmpd xfs anacron cpuspeed firstboot iptables lvm2-monitor netconsole pand readahead_later snmptrapd ypbind apmd crond freshclam irda mailman netfs pcscd restorecond spamassassin atd cups functions irqbalance mcstrans netplugd portmap rpcgssd sshd auditd daemon-control gpm iscsi mdmonitor network postfix rpcidmapd svnserve autofs dc_client haldaemon iscsid mdmpd NetworkManager postgresql rpcsvcgssd syslog avahi-daemon dc_server halt killall messagebus nfs proftpd saslauthd tomcat avahi-dnsconfd dhcdbd hidd krb524 microcode_ctl nfslock psacct sendmail usermin bluetooth dnsmasq httpd kudzu multipathd nscd rawdevices single webmin

I can't run fresh clam:

[root@hosting init.d]# freshclam ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

This appears to be getting worse now. Please advise !!

Submitted by JamieCameron on Thu, 09/08/2011 - 19:27

If you like, I can login to your system and take a look .. email me at jcameron@virtualmin.com if this is possible. I would need root SSH access.

Submitted by steve@itgroup.net.au on Thu, 09/08/2011 - 19:32 Pro Licensee

thanks Jamie - sorry for the stuff up ! I have emailed you.

Submitted by JamieCameron on Thu, 09/08/2011 - 20:04

So I just enabled use of clamd using the Virtualmin API, and it seems fine now ..

You can ignore the script /etc/init.d/clamd-wrapper , as it isn't even used. The real init script is /etc/init.d/clamd-virtualmin

Submitted by steve@itgroup.net.au on Sat, 09/10/2011 - 16:54 Pro Licensee

thanks Jamie, just tried Freshclam and that seems to still have issues though:

[root@hosting init.d]# freshclam ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

please advise.

Submitted by andreychek on Sat, 09/10/2011 - 17:18

What output do you get when running this command:

ls -la /var/log/clamav/

Submitted by steve@itgroup.net.au on Sat, 09/10/2011 - 17:21 Pro Licensee

root@hosting init.d]# ls -la /var/log/clamav/ ls: /var/log/clamav/: No such file or directory

shows it is not there. But there is a clamd.virtualmin

[root@hosting log]# ls acpid boot.log conman.old dovecot maillog.1 pm procmail.log.3.gz rpmpkgs spooler yum.log anaconda.log boot.log.1 cron faillog mailman ppp procmail.log.4.gz rpmpkgs.1 spooler.1 zarafa anaconda.syslog brcm-iscsi.log cron.1 httpd messages prelink procmail.log.5.gz sa-update.log tallylog anaconda.xlog btmp cups lastlog messages.1 procmail.log proftpd scrollkeeper.log wtmp audit clamd.virtualmin denyhosts mail mysqld.log procmail.log.1.gz rejection_log secure xferlog bandwidth conman dmesg maillog mysqld.log.rpmsave procmail.log.2.gz rkhunter.log secure.1 xferlog.1.gz

should the config file be changed to reflect that?

Submitted by andreychek on Sat, 09/10/2011 - 17:31

The Virtualmin default for /etc/freshclam.conf is to have this line:

UpdateLogFile /var/log/freshclam.log

Submitted by steve@itgroup.net.au on Sat, 09/10/2011 - 17:41 Pro Licensee

Hi,

you might have to get Jamie to have another look - as we seem to be going around in circles here.

There is no fresh clam.conf file - in /etc but it is in /usr/local/etc

I check the file and changed the path to /var/log/freshclam.log

I then created the file fresh clam.log and changed the chmod to 777

fresh clam now runs, but there is another error:

[root@hosting log]# freshclam ClamAV update process started at Sun Sep 11 08:39:46 2011 main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven) WARNING: Current functionality level = 29, recommended = 53 Please check if ClamAV tools are linked against the proper version of libclamav DON'T PANIC! Read http://www.clamav.net/support/faq daily.cld is up to date (version: 13599, sigs: 190345, f-level: 60, builder: guitar) WARNING: Current functionality level = 29, recommended = 60 Please check if ClamAV tools are linked against the proper version of libclamav DON'T PANIC! Read http://www.clamav.net/support/faq

Submitted by JamieCameron on Sun, 09/11/2011 - 00:02

That message isn't really an error .. it just means that clamav isn't the absolutely latest version.

Submitted by steve@itgroup.net.au on Sun, 09/11/2011 - 00:44 Pro Licensee

thanks Jamie - fair enough. However, I thought that it should always be the latest version. I have tried doing yum update clam and yum update clamav - but it still gives me the message. Is it because the clam on your repository is not updated? regards steve

Submitted by JamieCameron on Sun, 09/11/2011 - 01:05

New clamav versions come out pretty often, so we don't always have the absolute latest in our repository..

Submitted by JamieCameron on Sun, 09/11/2011 - 01:05

New clamav versions come out pretty often, so we don't always have the absolute latest in our repository..

Submitted by steve@itgroup.net.au on Sun, 09/11/2011 - 01:51 Pro Licensee

no worries - thanks Jamie. Please close call

Submitted by Issues on Sun, 09/25/2011 - 03:37

Automatically closed -- issue fixed for 2 weeks with no activity.