Syslog Configuration
Use the following information to configure Powertech Antivirus syslog logging.
Powertech Antivirus uses Zlog to send log messages to local logs and to mirror them to syslog. For information about the Zlog configuration file, see https://hardysimpson.github.io/zlog/UsersGuide-EN.html.
Log files are created in the/opt/sgav/log folder. If they are not, verify the following:
- The zlog.conf
- The zlog.conf
- The zlog.conf
NOTE: The destination for the syslog messages depends on the syslog configuration of the host. By default, it may be /var/log/messages or /var/log/syslog.
Logging levels
The following severity levels are used by Powertech Antivirus:
| FATAL | Fatal conditions that will cause the product to stop running. |
| ERROR | Serious messages that cause the product to fail or stop working. |
| WARN | Important messages that should be looked at (e.g. virus infections, quarantine). |
| NOTICE | General startup and shutdown activity, completion messages. |
| INFO | Detailed messages, files not scanned, etc. |
| DEBUG | Debug trace. |
You can set the syslog log level names to which these messages are sent in the zlog configuration files. By default:
- FATAL and ERROR messages are sent to syslog at level LOG_LOCAL3.
- WARN messages are sent to LOG_LOCAL4.
- NOTICE messages are sent to LOG_LOCAL5.
- INFO and DEBUG messages are not mirrored to syslog.
Zlog configuration for the avupdate and avscan tools are defined by the avupdate and avscan rules in zlog.conf. Changes will take effect the next time these tools are run.
The avsvc server uses the avsvc rules in zlog-avsvc .conf. Changes will take effect the next time the server is started or configuration is reloaded (“avsvcctl reload”).
Possible Syslog Messages
The following are the bodies of the Powertech Antivirus messages for levels FATAL, ERROR, WARN, and NOTICE, as they would appear with the default syslog formatting:
PTAV FATAL another instance of %s is already running PTAV FATAL client initialization failed PTAV FATAL configuration failed, exiting PTAV FATAL driver write failure, errno %d %s PTAV FATAL error monitoring mounts, errno %d PTAV FATAL failed to create client threadpool of size %ld, errno %d %s PTAV FATAL failed to create notification threadpool, errno %d %s PTAV FATAL failed to create onaccess threadpool of size %ld, errno %d %s PTAV FATAL failed to ignore SIGPIPE, errno %d %s PTAV FATAL failed to initialize monitoring PTAV FATAL fileops: %s PTAV FATAL no memory for event initialisation PTAV FATAL out of memory PTAV FATAL out of memory (array) PTAV FATAL reporting initialization failed PTAV FATAL unrecoverable error from device driver PTAV ERROR %d exclude paths were rejected in avsvc configuration PTAV ERROR %d include paths were rejected in avsvc configuration PTAV ERROR %d mount paths were rejected in avsvc configuration PTAV ERROR AVUpdate failed, error code %d. PTAV ERROR Cannot clear %s, not a subdir within %s PTAV ERROR DAT update failed! PTAV ERROR EOVERFLOW, file too large PTAV ERROR ERROR! See %s/%s for details. PTAV ERROR ERROR! See FTP log %s for details. PTAV ERROR ERROR! cannot transfer files, neither curl or wget is available PTAV ERROR ERROR! curl not found PTAV ERROR ERROR! wget not found PTAV ERROR Error getting DATVersion from oem.ini file. PTAV ERROR Error getting latest version directory from datinfo file. PTAV ERROR FD_CLOEXEC failed %d %s PTAV ERROR Failed to stop the avsvc service. You must stop it manually before re-attempting the update. PTAV ERROR License error %d, %s, call Powertech PTAV ERROR ODM initialize failure, error %d PTAV ERROR Quarantine failed for %s PTAV ERROR Quarantine failed for %s%s PTAV ERROR Quarantine of infected file failed for %s%s PTAV ERROR Scan engine failed, reason code %d. PTAV ERROR Scan engine failed: %s. PTAV ERROR Scan failed (error %d) PTAV ERROR Unable to apply incrementals on this build (switching to full update) PTAV ERROR Unzip failed, see log file %s/unzip.txt for details. PTAV ERROR avscan notifier '%s' is not configured PTAV ERROR avsvc 'mime' configuration option has no effect unless 'files' is set to 'all' PTAV ERROR avsvc notifier '%s' is not configured PTAV ERROR bad receive state %d nr %d ne %d PTAV ERROR cannot create a configuration dictionary, error %d %s PTAV ERROR cannot open log directory [%s], error %d %s PTAV ERROR cannot parse configuration file '%s' PTAV ERROR caught signal %d, crash log written to %s PTAV ERROR copy %s to %s failed, errno %d %s PTAV ERROR could not create local listener, errno %d %s PTAV ERROR could not get device driver version, errno %d %s PTAV ERROR could not issue driver shutdown, errno %d %s PTAV ERROR could not open %s, errno %d %s PTAV ERROR could not open instance lock file '%s', errno %d %s PTAV ERROR could not query %s, errno %d %s PTAV ERROR could not send fanotify response for file '%s', errno %d PTAV ERROR could not send fanotify response, errno %d PTAV ERROR delete of infected file failed for %s PTAV ERROR device driver query failed, errno %d %s PTAV ERROR device driver version (%s) does not match service (%s) PTAV ERROR discarding over-length client record (%u) PTAV ERROR driver close failed, rc %d errno %d %s PTAV ERROR error creating thread PTAV ERROR error in client protocol, unexpected header %02x%02x%02x%02x PTAV ERROR error reading from device driver, errno %d %s PTAV ERROR errors were encountered, aborting configuration change PTAV ERROR failed to %s access for file %s from PID %lld, errno %d (%s) PTAV ERROR failed to %s scan parameter list PTAV ERROR failed to add %s to file queue, errno %d PTAV ERROR failed to add %s to scan pool, errno %d PTAV ERROR failed to add directory watch for '%s', errno %d %s PTAV ERROR failed to add scan work to thread pool PTAV ERROR failed to add scan work to thread pool, errno %d PTAV ERROR failed to allocate vfstypes storage PTAV ERROR failed to allow access to file %s, errno %d %s PTAV ERROR failed to build path for %s event on '%s' PTAV ERROR failed to configure device driver, errno %d %s PTAV ERROR failed to create device driver special file %s, errno %d %s PTAV ERROR failed to create event, errno %d %s PTAV ERROR failed to create inotify thread, errno %d %s PTAV ERROR failed to duplicate client fd, error %d %s PTAV ERROR failed to fdopen file %s, errno %d %s PTAV ERROR failed to increase max inotify watches, errno %d %s PTAV ERROR failed to initialize device driver, errno %d %s PTAV ERROR failed to initialize filesystem cache PTAV ERROR failed to initialize inotify, errno %d %s PTAV ERROR failed to initialize scan pool, erno %d %s PTAV ERROR failed to initialize scan pool, errno %d %s PTAV ERROR failed to initialize search pool, errno %d %s PTAV ERROR failed to load device driver, errno %d %s PTAV ERROR failed to open file %s, errno %d %s PTAV ERROR failed to register tool, errno %d PTAV ERROR failed to send %s configuration to device driver, errno %d %s PTAV ERROR failed to set driver debug level, errno %d %s PTAV ERROR failed to set inotify max watches, errno %d %s PTAV ERROR failed to set inotify queue size, errno %d %s PTAV ERROR failed to terminate device driver, errno %d %s PTAV ERROR failed to truncate file %s, errno %d %s PTAV ERROR failed to unload device driver, errno %d %s PTAV ERROR fanotify read failure, errno %d %s PTAV ERROR fanotify write failure, rc %d, errno %d %s PTAV ERROR fanotify_init failed %d %s PTAV ERROR fileops: %s PTAV ERROR ignored empty '%s' value in configuration file PTAV ERROR ignored invalid '%s' value '%s' in configuration file PTAV ERROR ignoring '%s' in notify section PTAV ERROR inotify loop poll failed, rc=%d errno=%d PTAV ERROR inotify queue overflow, events have been lost PTAV ERROR invalid 'access' value '%s' in avsvc configuration PTAV ERROR invalid 'cleanfail' value '%s' in avsvc configuration PTAV ERROR invalid 'delay' value '%s' in avsvc configuration PTAV ERROR invalid 'files' value '%s' in avsvc configuration PTAV ERROR invalid 'fscacheage' value '%s' in avsvc configuration PTAV ERROR invalid 'fscacheidle' value '%s' in avsvc configuration PTAV ERROR invalid 'fscachesize' value '%s' in avsvc configuration PTAV ERROR invalid 'maxbacklog' value '%s' in avsvc configuration PTAV ERROR invalid 'maxwait' value '%s' in avsvc configuration PTAV ERROR invalid 'nice' value '%s' in avsvc configuration PTAV ERROR invalid 'thread' value '%s' in avsvc configuration PTAV ERROR invalid avsvc parameter '%s' PTAV ERROR invalid parameter '%s' PTAV ERROR local listener failure, error %d %s PTAV ERROR message data size %d out of range PTAV ERROR mkdir %s failed, errno %d %s PTAV ERROR monitoring stopped abnormally PTAV ERROR no callback registered for client connection PTAV ERROR notifier '%s' has no command specified PTAV ERROR out of memory PTAV ERROR out of memory for buffer size %d PTAV ERROR out of memory for mount list PTAV ERROR out of memory for mount list (%d) PTAV ERROR out of memory for mounts array PTAV ERROR out of memory to handle file open event PTAV ERROR parameter '%s' needs a value PTAV ERROR permission denied, invalid message signature PTAV ERROR receive in unexpected state %d PTAV ERROR reconfigure of monitoring parameters failed PTAV ERROR refusing to read configuration file '%s' because %s PTAV ERROR search on '%s' failed, errno %d %s PTAV ERROR skipping '%s', configuration section not set PTAV ERROR special file %s does not have expected ownership and/or permissions PTAV ERROR the scanning engine encountered an unrecoverable error PTAV ERROR timed out waiting for monitoring thread to start PTAV ERROR unable to get VFS details, errno %d %s PTAV ERROR unable to get list of filesystem mounts (/proc/mounts), error %d %s PTAV ERROR unable to get list of mounted filesystems, errno %d %s PTAV ERROR unable to get number of mounted filesystems, errno %d %s PTAV ERROR unable to locate %s tool at '%s', errno %d %s PTAV ERROR unable to open %s, errno %d %s PTAV ERROR unable to open cache dump file '%s', errno %d %s PTAV ERROR unable to parse '%s' value '%s' in configuration file PTAV ERROR unable to resolve quarantine path '%s', errno %d %s PTAV ERROR unable to set client socket options, errno %d %s PTAV ERROR unhandled message %d from device driver PTAV ERROR unknown configuration section %s PTAV ERROR unknown device driver action %d PTAV ERROR unknown notify option '%s' for '%s' PTAV ERROR unlink %s failed, errno %d %s PTAV ERROR unlink %s failed, errno %d file path has changed to %s PTAV ERROR unlink %s failed, errno %d realpath: %s PTAV ERROR unsupported parameter '%s', use avconfig PTAV NOTICE %s DAT update %s starting PTAV NOTICE DAT files updated to %d PTAV NOTICE DAT levels the same, nothing to do! PTAV NOTICE McAfee %d engine, DAT level %d (%s) PTAV NOTICE Notifying avinsite service... PTAV NOTICE Restarting avsvc service... PTAV NOTICE Starting %s %s v%s at %.24s. PTAV NOTICE Stopping avsvc service... PTAV NOTICE avscan starting PTAV NOTICE built-in unsupported filesystem types: %s PTAV NOTICE fileops: %s PTAV NOTICE filesystems (by mount point): PTAV NOTICE monitored filesystems: PTAV NOTICE monitoring disabled, no filesystems monitored PTAV NOTICE mounted filesystems: PTAV NOTICE not starting monitoring - access is set to none PTAV NOTICE on-access scanning is disabled PTAV NOTICE service configuration: PTAV NOTICE service information: PTAV NOTICE supported filesystems: PTAV NOTICE the 'mount' option is not supported on this platform PTAV NOTICE total %d fanotify monitoring marks PTAV WARN %llu filesystem events missed in the last %d seconds PTAV WARN Delete of infected file failed for file %s with error=%d %s PTAV WARN Disabling script command '%s': errno=%d PTAV WARN Disabling script command: '%s' is infected PTAV WARN Disabling script command: error %d while scanning '%s' PTAV WARN Disabling script command: timeout reached while scanning '%s' PTAV WARN Quarantined file %s PTAV WARN Script failed: return code=%d. script=%s PTAV WARN VIRUS: %s is INFECTED (%d) with '%s'! PTAV WARN VIRUS: '%s' is INFECTED with '%s' PTAV WARN cache clear attempt by non-root user %lld PTAV WARN cache dump attempt by non-root user %lld PTAV WARN chown %lld:%lld of %s failed, errno %d %s PTAV WARN configuration load failed PTAV WARN could not increase max open file limit to %d, errno %d %s PTAV WARN driver debug control attempt by non-root user %lld PTAV WARN failed to add fanotify mark for path '%s', errno %d %s PTAV WARN failed to get driver queue stats, errno %d %s PTAV WARN failed to report event statistics, error %d PTAV WARN failed to report virus event for file '%s' PTAV WARN failed to reset driver queue stats, errno %d %s PTAV WARN failed to restart event statistics timer, error %d PTAV WARN failed to start event report timer, error %d PTAV WARN failed to watch directory %s PTAV WARN fileops: %s PTAV WARN log reconfigure failed PTAV WARN log reconfigure with file '%s' failed because %s PTAV WARN lost event on wd %d mask %x len %d name %s PTAV WARN no filesystems are being monitored after reconfiguration PTAV WARN no filesystems are being monitored after refresh PTAV WARN notifier %s returned code %d (errno %d) PTAV WARN product is not licensed: error %d (%s) PTAV WARN reconfiguration of monitored filesystems failed, monitoring is in an undefined state PTAV WARN refresh of monitored filesystems failed, monitoring is in an undefined state PTAV WARN rejecting unauthorized client connection from uid %lld pid %lld %s PTAV WARN stats reset attempt by non-root user %lld PTAV WARN trace control attempt by non-root user %lld PTAV WARN unable to set process priority to %ld, errno %d %s PTAV WARN unrecognised client command %u PTAV WARN virus definitions are %d days old The AIX device driver will send the following messages to syslog using the “kern” facility: PTAV ERROR an instance of the driver already exists PTAV ERROR bad receive state %d nr %d ne %d PTAV ERROR driver failed to initialize, error %d PTAV ERROR driver termination failed, error %d PTAV ERROR failed to pin device driver, rc %d PTAV ERROR failed to register close extension, rc %d %s PTAV ERROR fskv_reg failed, error %d PTAV ERROR fskv_unreg failure, error %d PTAV ERROR message length %u too large PTAV ERROR out of memory for outq buffer, size %d PTAV ERROR receive in unexpected state %d PTAV ERROR timeout waiting for callouts to complete PTAV ERROR uiomove failed rc %d PTAV ERROR unpinning failed, err %d PTAV WARN unhandled ioctl %x PTAV WARN unhandled message %u
zlog.conf
[global] strict init = false reload conf period = 1M buffer min = 1024 buffer max = 2MB rotate lock file = /tmp/zlog.lock default format = "%m%n" # Log file permissions: 660 = -rw-rw---- file perms = 660 fsync period = 1K [formats] simple = "%m%n" normal = "%d(%F %T) %m%n" syslog = "SGAV %V %m%n" debug = "[%p:%F:%L] %m%n" [rules] # Log errors to separate log *.ERROR "%E(SGAV_HOME)/log/error.log", 1MB;
normal # avupdate logging avupdate.* >stdout avupdate.* "%E(SGAV_HOME)/log/avupdate.log", 1MB;
normal # syslog output avscan.=FATAL >syslog, LOG_LOCAL3; syslog avscan.=ERROR >syslog, LOG_LOCAL3; syslog avscan.=WARN >syslog, LOG_LOCAL4; syslog avscan.=NOTICE >syslog, LOG_LOCAL5; syslog avupdate.=FATAL >syslog, LOG_LOCAL3; syslog avupdate.=ERROR >syslog, LOG_LOCAL3; syslog avupdate.=WARN >syslog, LOG_LOCAL4; syslog avupdate.=NOTICE >syslog, LOG_LOCAL5; syslog
Notes on the default configuration:
- The value of “%E(SGAV_HOME)” is resolved at run-time to be the installation directory, typically /opt/sgav.
- Errors from avscan and avupdate tools are sent to error.log.
- Messages at all levels from avupdate are sent to standard out and mirrored to avupdate.log.
- Messages at FATAL, ERROR, WARN, and NOTICE for both tools are mirrored to syslog using the syslog levels shown.
- error.log and avupdate.log are truncated once their size reaches 1MB.
- To prevent mirroring to syslog, comment-out all lines that have “>syslog” in the rule destination.
zlog-avsvc.conf
[global] strict init = true reload conf period = 0 file perms = 644 default format = "%V %v %m%n" [formats] normal = "%d %V [%p:%F:%L] %m%n" abbrev = "%V %m %n" plain = "%m %n" syslog = "SGAV %V %m%n" [rules] # config rules used for configuration validation mode config.=FATAL >stdout; abbrev config.=ERROR >stdout; abbrev config.=NOTICE >stdout; abbrev config.=WARN >stdout; abbrev config.=INFO >stderr; plain config.* "%E(SGAV_HOME)/log/avsvc.log",10MB * 3 ~ "%E(SGAV_HOME)/log/avsvc.log.#r"; normal # debug rules used in foreground debug mode debug.INFO >stderr; abbrev debug.* "%E(SGAV_HOME)/log/avsvc.log",10MB * 3 ~ "%E(SGAV_HOME)/log/avsvc.log.#r"; normal # avsvc rules used in daemon mode avsvc.INFO "%E(SGAV_HOME)/log/avsvc.log",10MB * 3 ~ "%E(SGAV_HOME)/log/avsvc.log.#r"; normal #avsvc.* "%E(SGAV_HOME)/log/avsvc.log",10MB * 3 ~ "%E(SGAV_HOME)/log/avsvc.log.#r"; normal # syslog output, daemon mode avsvc.=FATAL >syslog, LOG_LOCAL3; syslog avsvc.=ERROR >syslog, LOG_LOCAL3; syslog avsvc.=WARN >syslog, LOG_LOCAL4; syslog avsvc.=NOTICE >syslog, LOG_LOCAL5; syslog
Notes on the default configuration:
- When the server is requested to validate the config.ini configuration file (“avsvccfg validate”), the messages for everything including and above INFO level are sent to the screen. A copy of all messages, including debug statements, are sent to avsvc.log.
- The running server will log messages including and above INFO level to avsvc.log, maximum size 10MB, with up to three files of rotation.
- The running server will also log messages including and above NOTICE to syslog.
- To prevent mirroring to syslog, comment-out all lines that have “>syslog” in the rule destination.
- Debug trace may be obtained by swapping the avsvc rules:
# avsvc rules used in daemon mode #avsvc.INFO "%E(SGAV_HOME)/log/avsvc.log",10MB * 3 ~ "%E(SGAV_HOME)/log/avsvc.log.#r"; normal avsvc.* "%E(SGAV_HOME)/log/avsvc.log",10MB * 3 ~ "%E(SGAV_HOME)/log/avsvc.log.#r"; normal