diff --git a/05-troubleshooting/security/freshclam-logwatch-false-no-updates.md b/05-troubleshooting/security/freshclam-logwatch-false-no-updates.md new file mode 100644 index 0000000..86fb4f0 --- /dev/null +++ b/05-troubleshooting/security/freshclam-logwatch-false-no-updates.md @@ -0,0 +1,69 @@ +--- +title: "Logwatch Falsely Reports 'No freshclam updates' in ClamAV Daemon Mode" +domain: troubleshooting +category: security +tags: [clamav, freshclam, logwatch, false-positive, fedora, ubuntu, ansible] +status: published +created: 2026-06-06 +updated: 2026-06-06 +--- +# Logwatch Falsely Reports "No freshclam updates" in ClamAV Daemon Mode + +Logwatch's daily `clam-update` section emails: + +> No updates detected in the log for the freshclam daemon (the ClamAV update process). If the freshclam daemon is not running, you may need to restart it. + +…even though freshclam **is** running and signatures **are** current. It's a parser quirk specific to running freshclam as a daemon. Don't act on the "restart it" suggestion — first confirm whether signatures are actually stale. + +> Seen on **tttpod** (2026-06-06). All four freshclam hosts (majorlinux, majortoot-hetzner, teelia, tttpod) hit this on quiet days. + +## First: is it real or false? + +```bash +systemctl is-active clamav-freshclam # active? +ls -l /var/lib/clamav/daily.c[lv]d # mtime today/yesterday? +grep 'updated' /var/log/clamav/freshclam.log | tail # real download events +``` + +- **Fresh `daily.cld` + active service → false positive** (this page). +- **`daily.cld` weeks old / service disabled → real.** Re-enable freshclam and update (see Related). A daemonless box still needs freshclam enabled — `clamav_use_daemon: false` only disables the *scanner* daemon, not the updater. + +## Why It False-Alarms + +logwatch's `clam-update` script (`/usr/share/logwatch/scripts/services/clam-update`) decides "updated" by counting **`ClamAV update process started`** lines (`$UpdatedNum`) within its range (`Range = yesterday`). It does **not** count the actual `daily.cld updated (version: …)` download lines. + +freshclam emits "update process started" **only when the daemon (re)starts** — not on its periodic in-daemon checks (`Checks 24`, `ExecStart=/usr/bin/freshclam -d`). So on any day the box doesn't reboot or restart freshclam, yesterday's log has zero "started" lines → `$UpdatedNum == 0` → the warning fires, regardless of whether signatures downloaded. (Conversely, on a day you *do* reboot, the warning won't fire.) The script was written for the old cron-driven freshclam, which started a fresh process each run. + +## Fix + +Silence just that one message — real `ERROR` / `WARNING` / outdated alerts still report: + +```bash +# /etc/logwatch/conf/services/clam-update.conf +$ignore_no_updates = 1 +``` + +No service restart needed; logwatch picks it up on its next daily run. (The variable is read as `$ENV{'ignore_no_updates'}` by the script — note: **not** prefixed `clam_update_`, despite what the script's own self-help text suggests.) + +## Codify (Ansible) + +Deploy the drop-in wherever freshclam runs in daemon mode. On the fleet it's a task in `configure_clamav.yml` (group `clamav`), right after freshclam is enabled — MajorAnsible commit `cb27c93`: + +```yaml +- name: Suppress logwatch clam-update false "no updates" alert (daemon-mode freshclam) + ansible.builtin.copy: + dest: /etc/logwatch/conf/services/clam-update.conf + mode: '0644' + content: | + $ignore_no_updates = 1 + tags: [logwatch] +``` + +## Key Notes + +- **Confirm freshness before suppressing.** If signatures really are stale (freshclam off / no update timer), suppressing hides a genuine security gap. On a daemonless host that disabled freshclam, the warning is *true*. +- The script's built-in options B/C (about syslog format) don't apply when freshclam logs to its own file (`LogSyslog false`); `$ignore_no_updates` is the right lever. + +## Related + +- [ClamAV CPU Spike: Safe Scheduling with nice/ionice](clamscan-cpu-spike-nice-ionice.md) diff --git a/SUMMARY.md b/SUMMARY.md index 56f4c5f..6adf3aa 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -116,6 +116,7 @@ updated: 2026-05-15T09:00 * [macOS: Repeating Alert Tone from Mirrored iPhone Notification](05-troubleshooting/macos-mirrored-notification-alert-loop.md) * [OBS Studio: Stale Script Paths After Windows Profile Rename](05-troubleshooting/obs-stale-script-paths-after-windows-profile-rename.md) * [ClamAV CPU Spike: Safe Scheduling with nice/ionice](05-troubleshooting/security/clamscan-cpu-spike-nice-ionice.md) + * [Logwatch Falsely Reports 'No freshclam updates' in ClamAV Daemon Mode](05-troubleshooting/security/freshclam-logwatch-false-no-updates.md) * [Fedora CA Bundle Missing Symlink — TLS Breaks Fleet-Wide](05-troubleshooting/security/fedora-ca-bundle-missing-symlink.md) * [Netdata apps-group FD-utilisation false 100% (silenced fleet-wide)](05-troubleshooting/security/netdata-apps-fds-group-false-positive.md) * [Ansible: Vault Password File Not Found](05-troubleshooting/ansible-vault-password-file-missing.md)