Configuring logging in ICAP mode
5 March 2024
ID 179896
This section explains how to manually configure logging in ICAP mode without using Kaspersky Scan Engine GUI.
In ICAP mode, Kaspersky Scan Engine can log its activity. Logging settings are specified in the icapdkavlog.conf configuration file (hereinafter referred to as the logging configuration file), located in the /opt/kaspersky/ScanEngine/bin
directory.
You can change the logging settings after the kavicapd
service is started.
See also the detailed instructions on enabling logging.
Elements of the logging configuration file
Logging
—The root element of the file. This element has two child elements: DebugLogging
and SyslogLogging
.
DebugLogging Section
DebugLogging
is a parent element that contains setting for logs that are written directly to the log files and can help identify service malfunctions.This element has the following child elements.
Level
—Specifies the logging level.Possible values:
none
ornon
Logging is disabled.
debug
ordbg
Debug level. At this logging level, Kaspersky Scan Engine logs information that can help identify problems, such as changes in the state of a proxy server connection or return values of Kaspersky Scan Engine functions.
If you enable the debug level of logging, consider that the log messages will contain sensitive data.
The default value is
none
.Target
—The parent element for parameters that specify where logs must be written.File
—Indicates that logs are written directly to log files. It also specifies the properties of log files.This element has the following attributes:
size_limit
—Specifies the maximum possible size of a log file, in megabytes (MB).If the value of this attribute is
0
, the log file has no size limit.The default value is
0
.folder
—Specifies the directory where log files are stored.The path can be absolute or relative. The relative path is specified relative to the directory that holds the kavicapd executable file.
The default value is
./logs
.clear_folder
—Specifies whether Kaspersky Scan Engine must delete old logs on initialization.Kaspersky Scan Engine deletes old log files only if the value of this parameter is
1
,yes
,true
,on
, orenabled
. If the value of this parameter is0
,no
,false
,off
, ordisabled
, Kaspersky Scan Engine does not delete old log files. Notice that Kaspersky Scan Engine checks this parameter and deletes logs at the time the service starts. If the value of this parameter is set to1
,yes
,true
,on
, orenabled
when the service is already running, log files are not deleted until the service is restarted.The default value is
0
.
Generated log files are named as follows: icapdkav_<pid>_<date_time>_<log_number>.log, where <pid> is the PID of the process, <date_time> is local system date in the
YYYY-MM-DDhhmmss
format, and <log_number> is the number of the log (this parameter is appended to the file name only if the icapdkav_<pid>_<date_time>.log log file already exists).
SyslogLogging Section
SyslogLogging
is a parent element that contains setting for logs that are redirected tosyslogd
.This element has the following child elements:
SyslogEnabled
—Specifies whether Kaspersky Scan Engine sends syslog messages.Possible values:
0
,false
,no
,off
, ordisabled
Disables sending of syslog messages.
- Any other value
Enables sending of syslog messages.
If you enable sending syslog messages, consider that these messages will contain sensitive data, such as personal data as defined by GDPR, configuration data of the product, and licensing information.
Syslog
specifies settings related to syslog messages.This element has the following attributes:
destination
—Specifies the destination for syslog messages.The following destinations are possible:
- IP address. In this case, specify the
%PROTOCOL%%IP%:%PORT%
value, where%PROTOCOL%
is a network protocol (usetcp://
orudp://
for this value),%IP%
is an IPv4 address that receives syslog messages,%PORT%
is a port that receives syslog messages. If you do not specify a protocol as described above, KAV SDK will use the UDP protocol. - Syslog daemon. In this case, specify the
localhost
value to redirect syslog messages to a syslog daemon. - Log file. In this case, specify the path to the directory where the log file will be created. The path must begin with
/var/log/kaspersky
. The log file with syslog messages created by previous sessions is not removed and the ICAP plug-in appends new information to this file.
If it is necessary to write logs into the different locations, you can specify several
Syslog
elements. In this case, thedestination
attribute values of these elements must vary.- IP address. In this case, specify the
format
—Specifies the format of syslog messages.Possible values:
cef
—Specifies the CEF format of syslog messages.raw
—Specifies the RAW format of syslog messages. Theraw
value is used when the value specified in this element is notcef
orraw
, or no value is specified in this element, or if the logging configuration file does not contain theSyslogFormat
parameter.
Syslog
may have the following child element:LoggedEvent
—Specifies events to be logged.It is allowed to specify multiple
LoggedEvent
values. Each of these values sets the type of event that will be logged into the location specified in thedestination
attribute.Possible values:
Audit
—Specifies system audit events.Init
—Specifies service initialization events.Deinit
—Specifies service deinitialization events and watchdog events.Update
—Specifies antivirus database update and reload events.License
—Specifies license-related events.Engine
—Specifies antivirus engine events. These events may be published frequently.ScanResultClean
—Specifies scan completion events when scanned object considered clean.ScanResultDetect
—Specifies scan completion events when threat was detected.ScanResultOther
—Specifies scan completion events when object was not scanned.
If the
Syslog
element does not contain theLoggedEvent
child element, all the ICAP events logged.If the
Syslog
settings are incorrect, logging to the specified destination will be disabled.When syslog logging is enabled, system audit is enabled as well. If none of the
SyslogEvents
elements contains theAudit
event, system audit settings are set as follows:SyslogFormat
is set toraw
,SyslogTarget
is set tolocalhost
, andSyslogEvents
is set toaudit
.
Kaspersky Scan Engine can write debug logs and send syslog messages at the same time or separately.
Structure of the logging configuration file
Following is an example of a logging configuration file:
<?xml version="1.0"?> <Logging> <DebugLogging> <Level>debug</Level> <File size_limit="10" folder="./logs/scanevents" clear_folder="1"/> </DebugLogging> <SyslogLogging> <SyslogEnabled>1</SyslogEnabled> <Syslog destination="udp://192.168.1.1" format="cef"> <LoggedEvent>ScanResultClean</LoggedEvent> <LoggedEvent>ScanResultDetect</LoggedEvent> </Syslog> <Syslog destination="localhost" format="raw"> <LoggedEvent>ScanResultOther</LoggedEvent> </Syslog> <Syslog destination="/opt/kav/sdk8l3/logs" format="raw"> <LoggedEvent>Audit</LoggedEvent> <LoggedEvent>Engine</LoggedEvent> </Syslog> </SyslogLogging> </Logging> |