Had a good run with everything going well for a month or so, but sometime in the past week I've started getting errors in logs: Dec 25 03:45:43 webhost amavis[18584]: (18584-02) (!)connect to /var/run/clamav/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.sock: No such file or directory Dec 25 03:45:44 webhost amavis[18584]: (18584-02) (!)connect to /var/run/clamav/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.sock: No such file or directory Dec 25 03:45:44 webhost amavis[18584]: (18584-02) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.sock, retrying (2) Dec 25 03:45:50 webhost amavis[18584]: (18584-02) (!)connect to /var/run/clamav/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.sock: No such file or directory Dec 25 03:45:50 webhost amavis[18584]: (18584-02) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.sock (All attempts (1) failed connecting to /var/run/clamav/clamd.sock) at (eval 131) line 613.\n Dec 25 03:45:50 webhost amavis[18584]: (18584-02) (!)WARN: all primary virus scanners failed, considering backups I suspect there are other things wrong, as I dont seem to be getting any spam blocked via blacklists, but I dont know where to begin to chase that down. HELP!
Well, removed amavisd-new spamassassin clamav-server clamav-data clamav-update clamav-filesystem clamav and reinstalled. and THAT error went away, but clearly something is not working. TONS of spam now make it through that did not used to. Does not appear that postfix is checking any BL.
Well, as it usually goes, after a few hours of blindly mashing on keys, I have both made it better and made it worse. I'm STILL getting a TON of spam, so clearly something is wrong, but I dont even know where to start.
Ok, In trying to fix it, I broke it entirely, and had to fall back to a backup from 22 hours prior. I can accept mail again, but I'm still gifted with the: Dec 28 22:45:34 webhost amavis[3014]: (03014-01) (!)connect to /var/run/clamav/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.sock: No such file or directory Dec 28 22:45:35 webhost amavis[3014]: (03014-01) (!)connect to /var/run/clamav/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.sock: No such file or directory Dec 28 22:45:35 webhost amavis[3014]: (03014-01) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.sock, retrying (2) Dec 28 22:45:41 webhost amavis[3014]: (03014-01) (!)connect to /var/run/clamav/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.sock: No such file or directory Dec 28 22:45:41 webhost amavis[3014]: (03014-01) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.sock (All attempts (1) failed connecting to /var/run/clamav/clamd.sock) at (eval 131) line 613.\n and a hefty dose of SPAM.
Clamav is the antivirus scanner, it is not used for spam scanning, so the clamav and spam problem are two different things. Fisrt, to the clamav problem: the error message means that it is not started. Please try to restart clamav, if it the service does not start, then please check the clamav and syslog files for the calamv start error. Regarding spam scanning, there are many threads that describe how to tighten the spam scanner here in the forum. Here are some points: - Add Realtime blacklists under System > Server config > Mail . Ensure that you have a set a spamfilter policy for the mail domains. - Lower the spam tag 2 level to e.g. 3.0 and set the spam tag level to -100 to get debug infos in the mail header.
Admitting I'm way over my head at this point. I'm focusing on the SPAM as a symptom, as I suspect several things stopped working after a yum update I did on 12/19/2016. (which was to get a newer ver of php, to support piwik) This was working pretty well before the updates. All my configs that I've spent a couple months on are still there, they just dont work any more. If I do a ps -Al | grep clam 4 S 992 984 1 0 80 0 - 150506 poll_s ? 00:00:53 clamd So that looks like its running? You'll have to dumb it down for me, I'm not sure what I'm looking for. I spent 6 hours (and 3 restore from backups) yesterday, and only guess I came up with is could it be a mismatch in the two config files for amavis and clamav ? I'm at a loss to find logs, and very confused by the fact that half the time things are clamd, or clam.d, and then sometimes its clamav, or freshclam, or amavis.freshclam
Looking at maillog, Dec 29 08:57:45 webhost amavis[2697]: Using primary internal av scanner code for ClamAV-clamd Dec 29 08:57:45 webhost amavis[2697]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan Dec 29 08:57:45 webhost amavis[2697]: Deleting db files __db.001,__db.002,__db.003,snmp.db,nanny.db in /var/spool/amavisd/db Dec 29 08:57:45 webhost spamd[2093]: spamd: server started on IO::Socket::IP [127.0.0.1]:783 (running version 3.4.0) Dec 29 08:57:45 webhost spamd[2093]: spamd: server pid: 2093 Dec 29 08:57:45 webhost amavis[2697]: Creating db in /var/spool/amavisd/db/; BerkeleyDB 0.51, libdb 5.3 Dec 29 08:57:45 webhost spamd[2093]: spamd: server successfully spawned child process, pid 2707 Dec 29 08:57:45 webhost spamd[2093]: spamd: server successfully spawned child process, pid 2711 Dec 29 08:57:45 webhost spamd[2093]: prefork: child states: IS Dec 29 08:57:45 webhost spamd[2093]: prefork: child states: II Dec 29 08:58:00 webhost clamd[997]: Loaded 5415003 signatures. Dec 29 08:58:05 webhost clamd[997]: LOCAL: Unix socket file /var/run/clamd.amavisd/clamd.sock Dec 29 08:58:05 webhost clamd[997]: LOCAL: Setting connection queue length to 200 Dec 29 08:58:05 webhost clamd[997]: Limits: Global size limit set to 104857600 bytes. Dec 29 08:58:05 webhost clamd[997]: Limits: File size limit set to 26214400 bytes. Dec 29 08:58:05 webhost clamd[997]: Limits: Recursion level limit set to 16. Dec 29 08:58:05 webhost clamd[997]: Limits: Files limit set to 10000. Dec 29 08:58:05 webhost clamd[997]: Limits: MaxEmbeddedPE limit set to 10485760 bytes. Dec 29 08:58:05 webhost clamd[997]: Limits: MaxHTMLNormalize limit set to 10485760 bytes. Dec 29 08:58:05 webhost clamd[997]: Limits: MaxHTMLNoTags limit set to 2097152 bytes. Dec 29 08:58:05 webhost clamd[997]: Limits: MaxScriptNormalize limit set to 5242880 bytes. Dec 29 08:58:05 webhost clamd[997]: Limits: MaxZipTypeRcg limit set to 1048576 bytes. Dec 29 08:58:05 webhost clamd[997]: Limits: MaxPartitions limit set to 50. Dec 29 08:58:05 webhost clamd[997]: Limits: MaxIconsPE limit set to 100. Dec 29 08:58:05 webhost clamd[997]: Limits: MaxRecHWP3 limit set to 16. Dec 29 08:58:05 webhost clamd[997]: Limits: PCREMatchLimit limit set to 10000. Dec 29 08:58:05 webhost clamd[997]: Limits: PCRERecMatchLimit limit set to 5000. Dec 29 08:58:05 webhost clamd[997]: Limits: PCREMaxFileSize limit set to 26214400. Dec 29 08:58:05 webhost clamd[997]: Archive support enabled. Dec 29 08:58:05 webhost clamd[997]: Algorithmic detection enabled. Dec 29 08:58:05 webhost clamd[997]: Portable Executable support enabled. Dec 29 08:58:05 webhost clamd[997]: ELF support enabled. Dec 29 08:58:05 webhost clamd[997]: Mail files support enabled. Dec 29 08:58:05 webhost clamd[997]: OLE2 support enabled. Dec 29 08:58:05 webhost clamd[997]: PDF support enabled. Dec 29 08:58:05 webhost clamd[997]: SWF support enabled. Dec 29 08:58:05 webhost clamd[997]: HTML support enabled. Dec 29 08:58:05 webhost clamd[997]: XMLDOCS support enabled. Dec 29 08:58:05 webhost clamd[997]: HWP3 support enabled. Dec 29 08:58:05 webhost clamd[997]: Self checking every 600 seconds. Yet I also still see Dec 29 08:58:58 webhost amavis[2831]: (02831-01) (!)connect to /var/run/clamav/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.sock: No such file or directory Dec 29 08:58:59 webhost amavis[2831]: (02831-01) (!)connect to /var/run/clamav/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.sock: No such file or directory Dec 29 08:58:59 webhost amavis[2831]: (02831-01) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.sock, retrying (2) Dec 29 08:59:05 webhost amavis[2831]: (02831-01) (!)connect to /var/run/clamav/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.sock: No such file or directory
Please run: killall clamd to kill the clamd process. Then restart clamd. (clamav, clamd means all the same program, the software is ClamAV and clamd is the name of the ClamAV daemon process). If it does not work afterwards, then please run: ls -la /var/run/clamav/
[root@webhost ~]# killall clamd [root@webhost ~]# systemctl restart clamd Failed to restart clamd.service: Unit not found. [root@webhost ~]# ls -la /var/run/clamav/ ls: cannot access /var/run/clamav/: No such file or directory
Please check how the clamd service is named on your system by looking into the /etc/init.d directory, there should ba a file with *clam* in it's name (not freshclam).
Btw. If you need someone to look at your server remotely, then please contact Florian from Business support here: http://www.ispconfig.org/get-support/?type=ispconfig
[root@webhost init.d]# ls -l total 52 -rwx------ 1 root root 3265 Aug 21 00:09 bastille-firewall -rwx------ 1 root root 3265 May 19 2016 bastille-firewall.backup lrwxrwxrwx 1 root root 28 Jul 28 15:14 collector -> /opt/SumoCollector/collector -rwxr-xr-x 1 root root 7682 Nov 21 14:15 datadog-agent -rw-r--r-- 1 root root 15131 Sep 12 06:47 functions -rwxr-xr-x 1 root root 2989 Sep 12 06:47 netconsole -rwxr-xr-x 1 root root 6643 Sep 12 06:47 network -rw-r--r-- 1 root root 1160 Nov 21 20:27 README -rwx------ 1 root root 1028 Jul 6 10:56 splunk
Ok, so there is no init file, in this case it is probably a systemd service. run this command to search for the exact name: systemctl list-unit-files | grep clam
[root@webhost postfix]# systemctl list-unit-files | grep clam [email protected] static [email protected] disabled [root@webhost postfix]#
systemctl enable [email protected] systemctl restart [email protected] then I get [root@webhost postfix]# systemctl list-unit-files | grep clam [email protected] static [email protected] enabled
And that worked for about 2 emails then I get the errors again, though [root@webhost log]# systemctl list-unit-files | grep clam [email protected] static [email protected] enabled
If it worked after you run "systemctl restart [email protected]", then you should check the clamav log and the syslog of your server for errors why clamav is failing. Maybe it does not has enough memory or a similar issue.
I went down that path and I cant find a clamav.log anywhere and I dont see anything on my syslog server. How do I tell where its logging to?
Logging for ClamAV is configured in the clamd configuration file (clamd.conf). https://linux.die.net/man/5/clamd.conf
[root@webhost /]# find -name clamd.conf ./usr/share/doc/clamav-server-0.99.2/clamd.conf ./usr/share/clamav/template/clamd.conf I guess its the 2nd one? Logging was commented out. changed and restarted. LogFile /var/log/clamd.<SERVICE>
