Results 1 to 10 of 10

Thread: Clamavd gone missing

  1. #1

    Default Clamavd gone missing

    Spotted errors like these in mail.log:

    Jan 26 14:04:11 beastie amavis[4126]: (04126-07) (!)run_av (ClamAV-clamd, built-in i/f): Too many retries to talk to /var/run/clamav/clamd (Can't connect to UNIX socket /var/run/clamav/clamd: No such file or directory) at (eval 99) line 310.

    Went for a look to see if the clamavd file was there, and found that the /var/run/clamav folder was missing

    According to Yast clamav was still installed but in an attempt to get the files back I uninstalled and then reinstalled clamav

    Still no clamavd file or /var/run/clamav folder

    What provides clamavd if it isn't clamav?

    Any ideas on how I get clamavd back appreciated

  2. #2

    Default Re: Clamavd gone missing

    Typo there, clamd not clamavd ... doh at me!

    And after re-installing it's in /usr/sbin not /var/run/clamav so I'm editing amavisd.conf to suit and seeing how it goes

  3. #3
    Tilman Schmidt NNTP User

    Default Re: Clamavd gone missing

    Ecky schrieb:
    > Typo there, clamd not clamavd ... doh at me!
    >
    > And after re-installing it's in /usr/sbin not /var/run/clamav so I'm
    > editing amavisd.conf to suit and seeing how it goes


    Don't. These are two separate things. /usr/sbin/clamd is the actual
    program, while /var/run/clamav/clamd is the communication socket for
    talking to it. The socket is created by the program once it is running.
    So start clamd by entering (as root)

    /usr/sbin/rcclamd start

    give it a minute or so to get up to speed, and then look again whether
    the socket is there with

    ls -l /var/run/clamav

    If it isn't, look in in the system log (/var/log/messages) for messages
    from clamd telling you why it couldn't start.

    HTH
    T.

  4. #4

    Default Re: Clamavd gone missing

    Yeah mate I discovered that didn't make any difference

    Should've realised it was a socket, the clue being where it says Can't connect to UNIX socket ... it's been one of those days

    Restarted clamd a few times and it's just not creating /var/run/clamd

    There are no references to anything related to clam in /var/log/messages except for some clown on a mongolian ip trying to ssh in as a user clamd ... as well as a hundred or so other users

    I'm wondering if maybe clamd has 'lost' the privilege to create the socket somehow


    But having said that, when I restart clamd I get this in mail.log

    Jan 26 19:45:36 beastie clamd[13498]: Socket file removed.
    Jan 26 19:45:36 beastie clamd[13498]: Pid file removed.
    Jan 26 19:45:36 beastie clamd[13498]: --- Stopped at Mon Jan 26 19:45:36 2009
    Jan 26 19:45:41 beastie clamd[16068]: clamd daemon 0.94.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
    Jan 26 19:45:41 beastie clamd[16068]: Running as user root (UID 0, GID 0)

    It's running as root so it should be able to create it, but it's also saying it removed a socket file ... but what socket file

    I haven't changed anything relating to the mailserver or clamav except for a couple of blacklist spam regexp's in amavisd.conf and some addresses to reject in /etc/postfix/access

    None of which ought to affect clamav in this way as far as I'm aware

  5. #5
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Clamavd gone missing

    You don't say what version you are running, but on my older openSUSE amavis doesn't talk to a clamav socket file. The communication between amavis and clamd is via a TCP socket on port 3310, as stated in amavis.conf. However to confuse things, that clamd does create a Unix socket but it's in /var/lib/clamd.

    None of this may apply to you as you may be running a more recent release. But you should look in clamd.conf and amavis.conf to see what each service is set up to do, and expect, and why you are getting that line in the log file.

    Unfortunately I don't have a recent release to check for you because I have put the mailserver upgrade on hold until a kernel with the inotify bug fix is officially released.

  6. #6

    Default Re: Clamavd gone missing

    Hi ken

    Clamd.conf does have this entry: TCPSocket 3310

    I can't however find anything matching it in amavisd.conf, here are some entries from amavisd.conf that seem related and may give you some clue on what I need to do

    (I'm running amavisd-new 2.5.1-102.1-x86_64 btw)

    $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
    # option(s) -p overrides $inet_socket_port and $unix_socketname


    $inet_socket_port = 10024; # listen on this local TCP port(s)
    # $inet_socket_port = [10024,10026]; # listen on multiple TCP ports


    The $inet_socket_port = 10024 one perhaps?


    All it has in the @av_scanners = ( section for clamav is this:

    ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],


    Other than the @av_scanners_backup = ( entry I can't see anything else that might be related to clamav in there


    There is something that seems to indicate it's still scanning even though I'm seeing those errors

    On starting amavisd:

    Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan

    Then on mail coming in: Passed CLEAN


    If I'm understanding that correctly it means the primary scanner's failing so it falls back on the secondary which works, even though they're both clamav?

  7. #7
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Clamavd gone missing

    The path for clamd's socket is in /etc/clamd.conf, so do look at it.

    The 10024 is for amavis <-> postfix communcation. Not relevant here.

    The primary scanner is the one where amavis talks to clamd as a peer, either through a Unix or TCP socket. If that doesn't work, it falls back to the secondary scanner, where amavis forks an instance of clamscan for each email and attachment. Obviously this is less efficient for large volumes so the primary method is preferred.

    It could be a bug in the release (you still haven't said what version) that the socket paths don't match up in the configs. Or your config files may have been edited.

    PS: Could it be simply that you don't have clamd running?

  8. #8

    Default Re: Clamavd gone missing

    I thought you meant the amavis version, the clamav version is 0.94.2-1.1

    Just had another quick look in clamd.conf ans well as the tcp port you mentioned in your earlier post I found this:

    # Path to a local socket file the daemon will listen on.
    # Default: disabled (must be specified by a user)
    LocalSocket /var/lib/clamav/clamd-socket

    /var/lib/clamav/clamd-socket DOES exist so I'm guessing that's what I should be using

    Lo and behold I'd already changed the path in amavisd.conf to that before I went out, so I must have been on the right track somewhere!

    Checked the log and there were no errors whilst I was out, have restarted everything to be sure and will check again tomorrow

    On restarting I have this in mail.log

    Jan 27 03:09:14 beastie amavis[9754]: Using primary internal av scanner code for ClamAV-clamd
    Jan 27 03:09:14 beastie amavis[9754]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
    Jan 27 03:09:14 beastie amavis[9754]: Creating db in /var/spool/amavis/db/; BerkeleyDB 0.34, libdb 4.5

    It looks more like what I should be seeing, so let's hope it's sorted
    Last edited by Ecky; 26-Jan-2009 at 20:19. Reason: missed out the startup log

  9. #9
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Clamavd gone missing

    I meant the version of openSUSE, or did I miss that? Sorry if I did, I read too fast for my own good sometimes.

    Strange how 127.0.0.1 port 3310 didn't work, it doesn't matter now.

  10. #10

    Default Re: Clamavd gone missing

    No more errors when I just checked the log again, there were also freshclam errors I was getting that are also sorted now

    It's Suse 11 x86_64

    I still don't know why it stopped working, but hey, can't have everything

    You may remember giving me a lot of help getting it all set up in the first place ken so once again, many thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •