Andrew Tobey's questions

I am doing some powershell stuff to parse a few logs at work. I would also like to collect some information from the SCEP logs. I find the amount of logs available as well as the different locations in which they are stored a bit overwhelming to say the least.

I would like to extract the logs reporting that a potential virus was found in both the live and the "regular scanner.

A similiar question has already been answered here: Reporting SCEP update and scan

I have eicar for testing purposes here. So how would I imitate a potential positive finding in both scanners so that I can figure out to which file the scanners log to?

Thanks in advance

Andrew

i have just set up an (r)syslog server to receive the logs of various clients, which works fine.

only logrotate is still not behaving as intending. i want logrotate to create a new logfile for each day, but only to keep and store i.e. compress non-empty files.

my logrotate config looks currently like this

# sample configuration for logrotate being a remote server for multiple clients
/var/log/syslog
{
rotate 3
daily
missingok
notifempty
delaycompress
compress
dateext
nomail
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
# local i.e. the system's very own logs: keep logs for a whole month
/var/log/kern.log
/var/log/kernel-info
/var/log/auth.log
/var/log/auth-info
/var/log/cron.log
/var/log/cron-info
/var/log/daemon.log
/var/log/daemon-info
/var/log/mail.log
/var/log/rsyslog
/var/log/rsyslog-info
{
rotate 31
daily
missingok
notifempty
delaycompress
compress
dateext
nomail
sharedscripts
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
# received i.e. logs from the clients
/var/log/path-to-logs/*/*
{
rotate 31
daily
missingok
notifempty
delaycompress
compress
dateext
nomail
}

what i end up with is having is some sort of "summarized" files such as filename-datestampDay-Day and corresponding .gz files. What I do have are empty files, which are eventually zipped.

so does the notifempty directive is in fact responsible for these DayX-DayY files, days on which really nothing happened?

what would be an efficient way to drop both, empty log files and their .gz files, so that I eventually only keep logs/compressed files that truly contain data?

doing a fdisk -l is a quite convenient command, but how to make fidsk print the partition size in a unit such as MB or GB?

I am in the middle of configuring a (r)syslog server as a remote server that receives logs from various clients.

I wonder whether there is a nicer way to dynamically generate multiple file names as opposed to create a template for any facility.priority whose filename should be created dynamically.

$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"
kern.*                          ?FILENAME

besides that, do I have to explicitly tell the services/daemons to use TCP in order to use logging via TCP with (r)syslogd? Like when I turn off the server's ability to receive UDP packets, it stopps logging anything. Or differently put:

kern.*                           @loghost 

doesn't work.