How can I write two separate outputs from one command?

stacksofplates

Yeah if you just pass a -i it will only print infected files. That's what we did. Here's what the summary looks like then.

/home/jhooks/Downloads/test.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6561649
Engine version: 0.101.5
Scanned directories: 11
Scanned files: 42
Infected files: 1
Data scanned: 32.97 MB
Data read: 200.09 MB (ratio 0.16:1)
Time: 29.135 sec (0 m 29 s)

That's the output from clamscan -i -r and just outputting that to a file without grepping.

stacksofplates

So you get both the location of the infected file(s) and the summary with the number of scanned directories and files. And also the engine version.

scottalanmiller

Doesn't tee handle this for you?

stacksofplates

@scottalanmiller said in How can I write two separate outputs from one command?:

Doesn't tee handle this for you?

No it's two separate log outputs. Taht would work if it was the same output. But I don't think he really needs that anyway.

IRJ

@stacksofplates said in How can I write two separate outputs from one command?:

Yeah if you just pass a -i it will only print infected files. That's what we did. Here's what the summary looks like then.

/home/jhooks/Downloads/test.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6561649
Engine version: 0.101.5
Scanned directories: 11
Scanned files: 42
Infected files: 1
Data scanned: 32.97 MB
Data read: 200.09 MB (ratio 0.16:1)
Time: 29.135 sec (0 m 29 s)

That's the output from clamscan -i -r and just outputting that to a file without grepping.

That will work I will just need to add a timestamp. How ridiculous is it that it has no timestamp? lol

stacksofplates

@IRJ said in How can I write two separate outputs from one command?:

@stacksofplates said in How can I write two separate outputs from one command?:

Yeah if you just pass a -i it will only print infected files. That's what we did. Here's what the summary looks like then.

/home/jhooks/Downloads/test.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6561649
Engine version: 0.101.5
Scanned directories: 11
Scanned files: 42
Infected files: 1
Data scanned: 32.97 MB
Data read: 200.09 MB (ratio 0.16:1)
Time: 29.135 sec (0 m 29 s)

That's the output from clamscan -i -r and just outputting that to a file without grepping.

That will work I will just need to add a timestamp. How ridiculous is it that it has no timestamp? lol

ha yeah. We just stuck it in a file named the date. But yeah that's dumb there isn't any dates.

IRJ

@stacksofplates said in How can I write two separate outputs from one command?:

@IRJ said in How can I write two separate outputs from one command?:

@stacksofplates said in How can I write two separate outputs from one command?:

Yeah if you just pass a -i it will only print infected files. That's what we did. Here's what the summary looks like then.

/home/jhooks/Downloads/test.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6561649
Engine version: 0.101.5
Scanned directories: 11
Scanned files: 42
Infected files: 1
Data scanned: 32.97 MB
Data read: 200.09 MB (ratio 0.16:1)
Time: 29.135 sec (0 m 29 s)

That's the output from clamscan -i -r and just outputting that to a file without grepping.

That will work I will just need to add a timestamp. How ridiculous is it that it has no timestamp? lol

ha yeah. We just stuck it in a file named the date. But yeah that's dumb there isn't any dates.

So you create a separate log file each time? I would think it would be easier to look at a single log file especially since we only have a few line output in this one.

stacksofplates

@IRJ said in How can I write two separate outputs from one command?:

@stacksofplates said in How can I write two separate outputs from one command?:

@IRJ said in How can I write two separate outputs from one command?:

@stacksofplates said in How can I write two separate outputs from one command?:

Yeah if you just pass a -i it will only print infected files. That's what we did. Here's what the summary looks like then.

/home/jhooks/Downloads/test.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6561649
Engine version: 0.101.5
Scanned directories: 11
Scanned files: 42
Infected files: 1
Data scanned: 32.97 MB
Data read: 200.09 MB (ratio 0.16:1)
Time: 29.135 sec (0 m 29 s)

That's the output from clamscan -i -r and just outputting that to a file without grepping.

That will work I will just need to add a timestamp. How ridiculous is it that it has no timestamp? lol

ha yeah. We just stuck it in a file named the date. But yeah that's dumb there isn't any dates.

So you create a separate log file each time? I would think it would be easier to look at a single log file especially since we only have a few line output in this one.

We only did that because we had people who didn't know what they were doing looking at the logs. If it was for me, I wouldn't even have it on the systems, but our ISSM wanted the logs on the machines and to have some goons read the log files.

stacksofplates

If you set this up as a systemd unit/timer, the date will be automatically appended and set up for you. Then you can use journald to read logs. It should give you a lot of flexibility. Then you can scrape them just like system logs in Elastic Stack.

IRJ

@stacksofplates Here is how it looks when I add the date. I cannot same to get a space in between however

clamscan -i -r --exclude=/sys | sed "s/^/$(date)/ " >> /var/log/clamav/scan_log

Mon Dec  9 20:10:59 UTC 2019/tmp/clamav_test/emerging-deleted.rules: Html.Trojan.Blackhole-65 FOUND
Mon Dec  9 20:10:59 UTC 2019/tmp/clamav_test/emerging-web_client.rules: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
Mon Dec  9 20:10:59 UTC 2019
Mon Dec  9 20:10:59 UTC 2019----------- SCAN SUMMARY -----------
Mon Dec  9 20:10:59 UTC 2019Known viruses: 6594198
Mon Dec  9 20:10:59 UTC 2019Engine version: 0.101.4
Mon Dec  9 20:10:59 UTC 2019Scanned directories: 1
Mon Dec  9 20:10:59 UTC 2019Scanned files: 45
Mon Dec  9 20:10:59 UTC 2019Infected files: 2
Mon Dec  9 20:10:59 UTC 2019Data scanned: 38.73 MB
Mon Dec  9 20:10:59 UTC 2019Data read: 15.07 MB (ratio 2.57:1)
Mon Dec  9 20:10:59 UTC 2019Time: 49.446 sec (0 m 49 s)

stacksofplates

Here's the output from systemd if you create a service:

Dec 09 15:16:47 localhost.localdomain systemd[1]: Started ClamAV Scanner.
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: **************************************************
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: ***  The virus database is older than 7 days!  ***
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: ***   Please update it as soon as possible.    ***
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: **************************************************
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: ----------- SCAN SUMMARY -----------
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Known viruses: 6561649
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Engine version: 0.101.5
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Scanned directories: 11
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Scanned files: 41
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Infected files: 0
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Data scanned: 32.97 MB
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Data read: 200.09 MB (ratio 0.16:1)
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Time: 30.328 sec (0 m 30 s)
Dec 09 15:17:17 localhost.localdomain systemd[1]: scan.service: Succeeded.

IRJ

@stacksofplates said in How can I write two separate outputs from one command?:

Here's the output from systemd if you create a service:

Dec 09 15:16:47 localhost.localdomain systemd[1]: Started ClamAV Scanner.
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: **************************************************
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: ***  The virus database is older than 7 days!  ***
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: ***   Please update it as soon as possible.    ***
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: **************************************************
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: ----------- SCAN SUMMARY -----------
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Known viruses: 6561649
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Engine version: 0.101.5
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Scanned directories: 11
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Scanned files: 41
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Infected files: 0
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Data scanned: 32.97 MB
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Data read: 200.09 MB (ratio 0.16:1)
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Time: 30.328 sec (0 m 30 s)
Dec 09 15:17:17 localhost.localdomain systemd[1]: scan.service: Succeeded.

Can you show me your systemd service file?

stacksofplates

If it were me, I'd just set up a service and timer. Then it's super easy to automate and audit. You just make sure the service and timer are enabled and you can check whenever you need that they are. Logs are really easy to grab then too. For this I just ran journalctl -u scan

stacksofplates

@IRJ said in How can I write two separate outputs from one command?:

@stacksofplates said in How can I write two separate outputs from one command?:

Here's the output from systemd if you create a service:

Dec 09 15:16:47 localhost.localdomain systemd[1]: Started ClamAV Scanner.
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: **************************************************
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: ***  The virus database is older than 7 days!  ***
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: ***   Please update it as soon as possible.    ***
Dec 09 15:16:47 localhost.localdomain scan.sh[23673]: LibClamAV Warning: **************************************************
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: ----------- SCAN SUMMARY -----------
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Known viruses: 6561649
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Engine version: 0.101.5
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Scanned directories: 11
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Scanned files: 41
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Infected files: 0
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Data scanned: 32.97 MB
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Data read: 200.09 MB (ratio 0.16:1)
Dec 09 15:17:17 localhost.localdomain scan.sh[23673]: Time: 30.328 sec (0 m 30 s)
Dec 09 15:17:17 localhost.localdomain systemd[1]: scan.service: Succeeded.

Can you show me your systemd service file?

[Unit]
Description=ClamAV Scanner

[Service]
Type=simple
ExecStart=/usr/local/bin/scan.sh

[Install]
WantedBy=default.target

#!/bin/bash

clamscan -i -r /home/jhooks/Downloads

stacksofplates

A timer would just be this:

[Unit]
Description=Run Clam Scan

[Timer]
OnCalendar=*-*-* 00:00:00
Unit=scan.service

[Install]
WantedBy=default.target

IRJ

@stacksofplates said in How can I write two separate outputs from one command?:

A timer would just be this:

[Unit]
Description=Run Clam Scan

[Timer]
OnCalendar=*-*-* 00:00:00
Unit=scan.service

[Install]
WantedBy=default.target

Do you run systemctl enable clamav.timer and systemclt start clamav.timer instead of doing it with service?

IRJ

Service is failing, but timer is not?

stacksofplates

@IRJ said in How can I write two separate outputs from one command?:

@stacksofplates said in How can I write two separate outputs from one command?:

A timer would just be this:

[Unit]
Description=Run Clam Scan

[Timer]
OnCalendar=*-*-* 00:00:00
Unit=scan.service

[Install]
WantedBy=default.target

Do you run systemctl enable clamav.timer and systemclt start clamav.timer instead of doing it with service?

Sorry was in the car, yeah you can do systemctl enable --now clamav.timer and it will do both.

stacksofplates

@IRJ said in How can I write two separate outputs from one command?:

Service is failing, but timer is not?

What's the output of journalctl -u clamav?

IRJ

@stacksofplates said in How can I write two separate outputs from one command?:

@IRJ said in How can I write two separate outputs from one command?:

Service is failing, but timer is not?

What's the output of journalctl -u clamav?