No result for Freshclam query in Log Analytics

[ndrnclmndz]

0 results for Freshclam query

No result showing in Log Analytics when perform freshclam query. This is the first time we encounter this issue and this started only this Monday (6/16/2025).

How to reproduce the problem

We perform daily checking of the definition updates of ClamAV on our Linux servers. However, when we run the following query in Log Analytics, the result we are getting is 0 results.

freshclam_CL | where RawData contains "daily.cld" or RawData contains "main.cvd" or RawData contains "bytecode.cvd"

We have checked that all of our 43 Linux servers are online and running.

Please see the result of the clamconf -n command on one of our Linux servers:

Checking configuration files in /etc

Config file: clamd.conf

LogFile = "/var/log/clamd.log"
LogFileMaxSize = "2097152"
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_MAIL"
LogRotate = "yes"
PidFile = "/run/clamav/clamd.pid"
LocalSocket = "/run/clamav/clamd-socket"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
User = "vscan"

Config file: freshclam.conf

LogFileMaxSize = "104857600"
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_MAIL"
LogRotate = "yes"
PidFile = "/run/clamav/freshclam.pid"
UpdateLogFile = "/var/log/freshclam.log"
DatabaseMirror = "database.clamav.net"

Config file: clamav-milter.conf

LogSyslog = "yes"
LogFacility = "LOG_MAIL"
PidFile = "/run/clamav/clamav-milter.pid"
User = "vscan"
ClamdSocket = "unix:/run/clamav/clamd.sock"
MilterSocket = "/run/clamav/clamav-milter.sock"

Software settings

Version: 1.4.2
Optional features supported: MEMPOOL AUTOIT_EA06 ICONV RAR

Database information

Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
daily.cld: version 27670, sigs: 2075758, built on Mon Jun 16 04:37:08 2025
bytecode.cld: version 336, sigs: 83, built on Mon Mar 24 15:29:20 2025
Total number of signatures: 8723268

Platform information

uname: Linux 4.12.14-122.258-default #1 SMP Wed May 14 11:35:27 UTC 2025 (9b99659) x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a21d4d408000000000d0300

Build information

GNU C: 13.3.0 (13.3.0)
sizeof(void*) = 8
Engine flevel: 212, dconf: 212

1. What could be the cause of this issue?
2. Why are we getting 0 results when the servers are online and running?
3. What needs to done to fix this issue?
4. Is the servers not getting the daily definition signatures?
5. Do we need to run the freshclam command everyday on the servers for them to get the definition signatures?

Looking forward to your response.

Thank you!

~Andrea

[ndrnclmndz]

Hello,

@val-ms can you assist on this issue please?

Thank you!

[val-ms]

Hi @ndrnclmndz sorry this report slipped past without a response.

I do not know anything about Log Analytics. This doesn't sound like a freshclam issue so much as a configuration issue with that software.

That said - some others have reported issues with ClamAV logging in 1.4.2: #1509

If the issue for you is just that the ClamAV 1.4 version isn't logging and it used to work with an older version, then we should move this conversation to that ticket.

[ndrnclmndz]

Hello @val-ms,

I checked the ticket you provided and the issue is for Fedora. The OS of our Linux Servers is SUSE.

Also, we have downgraded the ClamAV version to 1.3 on RHEL 7 servers and freshclam starts providing results in Log Analytics.

Is our issue related to Fedora OS?

[val-ms]

Argh! I missed your reply. Again. I'm sorry. It sounds like the same issue as that other ticket then. I'm going to close this one as a duplicate.