Command-line options

In Linux, the Log Scanner utility is launched from the command line as follows:

./log_scanner [-h|--help] [-r|--report] [-c|--config] [[-p|--path]|[-s|--hash]|[-u|--url]|[-i|--ip]] [value]

In Windows, the Log Scanner utility is launched from the command line as follows:

log_scanner.exe [-h|--help] [-r|--report] [-c|--config] [[-p|--path]|[-s|--hash]|[-u|--url]|[-i|--ip]] [value]

The following table explains the command-line options.

Command-line options of Log Scanner

Option

Description

-h

--help

Prints the usage message to the screen.

If this option is specified, all other options are ignored.

-r

--report

If this option is specified, Feed Service will return the response to Log Scanner in the same socket in which the request was sent, and Log Scanner will save the result in a text file. The output file is named log_scanner_report%current_time%.txt, where %current_time% is the date and time (including seconds) of creation of the output file. The location of the output file is set in the OutputDir element of the Log Scanner configuration file.

If a URL, IP address, or hash is found in Kaspersky Threat Data Feeds, its category and context information is written to the output. After the entire input is processed, the following information is written to the output:

  • The number of requests sent to Feed Service
  • The number of detections received from Feed Service
  • The time taken to perform all of the checking

    If this option is not specified, Feed Service will generate output according to the settings specified in its configuration file. For more information, see section "Recommendations on using Log Scanner".

If this option is specified, make sure that the value of the enable attribute of the FinishedEventFormat element in the Feed Service configuration file is not false.

-c

--config

Path to the configuration file. It can be either an absolute or a relative path. A relative path is calculated relative to the directory from which you run Log Scanner.

By default, Log Scanner uses the log_scanner.conf configuration file that is placed in the directory from which you run Log Scanner.

-p

--path

Path to a directory or text file that contains URLs, IP addresses, and hashes to check against Kaspersky Threat Data Feeds. It can be an absolute or a relative path. A relative path is calculated relative to the directory that contains the Log Scanner binary file. If the path to a directory is specified, all files contained in it and all its all-level subdirectories are processed.

Each line of each processed file is sent to Feed Service as the data to be checked. No further formatting is applied. Feed Service will parse the lines by using the regular expressions set in its configuration file.

You can specify several paths; in this case, use the -p option before every path. For example:

./log_scanner -p log1.txt -p log2.txt

log_scanner.exe -p log1.txt -p log2.txt

-s

--hash

Hashes to be checked against Kaspersky Threat Data Feeds. They can be MD5 hashes, SHA1 hashes, or SHA256 hashes; Log Scanner determines the type of a hash on the basis of its length. If several hashes are specified, they must be separated by space symbols. For example:

./log_scanner -s A8315A5D4C8ACB982372C16B83BAEAAA -s A72C5B99F2706B00718279C9533A3648

log_scanner.exe -s A8315A5D4C8ACB982372C16B83BAEAAA -s A72C5B99F2706B00718279C9533A3648

-i

--ip

IP addresses to be checked against Kaspersky Threat Data Feeds. If several IP addresses are specified, they must be separated by space symbols. For example:

./log_scanner -i 15.54.33.54 -i 45.62.66.69

log_scanner.exe -i 15.54.33.54 -i 45.62.66.69

-u

--url

URLs to be checked against Kaspersky Threat Data Feeds. If several URLs are specified, they must be separated by space symbols. For example:

./log_scanner -u http://example.com/malware_test -u http://example.com/phishing_test

log_scanner.exe -u http://example.com/malware_test -u http://example.com/phishing_test

Do not use the -u option to check URLs that contain an ampersand (&). To check a URL that contains an ampersand, copy the URL to a text file and check the file by using the -p option, as described above.

If you specify none of the -p, -s, -u, or -i options, and specify only the value to check, this value will be treated as the path to the file or directory to be scanned.

The Log Scanner utility uses the current locale of the operating system.

Page top