Configuring logging in ICAP mode

This section explains how to manually configure logging in ICAP mode without using Kaspersky Scan Engine GUI.

In ICAP mode, Kaspersky Scan Engine can log its activity. Logging settings are specified in the icapdkavlog.conf configuration file (hereinafter referred to as the logging configuration file), located in the /opt/kaspersky/ScanEngine/bin directory.

You can change the logging settings after the kavicapd service is started.

See also the detailed instructions on enabling logging.

Elements of the logging configuration file

Logging—The root element of the file. This element has two child elements: DebugLogging and SyslogLogging.

DebugLogging Section

• DebugLogging is a parent element that contains setting for logs that are written directly to the log files and can help identify service malfunctions.

  This element has the following child elements.

• Level—Specifies the logging level.

  Possible values:

  • none or non

    Logging is disabled.

  • debug or dbg

    Debug level. At this logging level, Kaspersky Scan Engine logs information that can help identify problems, such as changes in the state of a proxy server connection or return values of Kaspersky Scan Engine functions.

  If you enable the debug level of logging, consider that the log messages will contain sensitive data.

  The default value is none.

• Target—The parent element for parameters that specify where logs must be written.
• File—Indicates that logs are written directly to log files. It also specifies the properties of log files.

  This element has the following attributes:

  • size_limit—Specifies the maximum possible size of a log file, in megabytes (MB).

    If the value of this attribute is 0, the log file has no size limit.

    The default value is 0.

  • folder—Specifies the directory where log files are stored.

    The path can be absolute or relative. The relative path is specified relative to the directory that holds the kavicapd executable file.

    The default value is ./logs.

  • clear_folder—Specifies whether Kaspersky Scan Engine must delete old logs on initialization.

    Kaspersky Scan Engine deletes old log files only if the value of this parameter is 1, yes, true, on, or enabled. If the value of this parameter is 0, no, false, off, or disabled, Kaspersky Scan Engine does not delete old log files. Notice that Kaspersky Scan Engine checks this parameter and deletes logs at the time the service starts. If the value of this parameter is set to 1, yes, true, on, or enabled when the service is already running, log files are not deleted until the service is restarted.

    The default value is 0.

  Generated log files are named as follows: icapdkav_<pid>_<date_time>_<log_number>.log, where <pid> is the PID of the process, <date_time> is local system date in the YYYY-MM-DDhhmmss format, and <log_number> is the number of the log (this parameter is appended to the file name only if the icapdkav_<pid>_<date_time>.log log file already exists).

SyslogLogging Section

• SyslogLogging is a parent element that contains setting for logs that are redirected to syslogd.

  This element has the following child elements:

  • SyslogEnabled—Specifies whether Kaspersky Scan Engine sends syslog messages.

    Possible values:

    • 0, false, no, off, or disabled

      Disables sending of syslog messages.

    • Any other value

      Enables sending of syslog messages.

    If you enable sending syslog messages, consider that these messages will contain sensitive data, such as personal data as defined by GDPR, configuration data of the product, and licensing information.

  • Syslog specifies settings related to syslog messages.

    This element has the following attributes:

    • destination—Specifies the destination for syslog messages.

      The following destinations are possible:

      • IP address. In this case, specify the %PROTOCOL%%IP%:%PORT% value, where %PROTOCOL% is a network protocol (use tcp:// or udp:// for this value), %IP% is an IPv4 address that receives syslog messages, %PORT% is a port that receives syslog messages. If you do not specify a protocol as described above, KAV SDK will use the UDP protocol.
      • Syslog daemon. In this case, specify the localhost value to redirect syslog messages to a syslog daemon.
      • Log file. In this case, specify the path to the directory where the log file will be created. The path must begin with /var/log/kaspersky. The log file with syslog messages created by previous sessions is not removed and the ICAP plug-in appends new information to this file.

      If it is necessary to write logs into the different locations, you can specify several Syslog elements. In this case, the destination attribute values of these elements must vary.

    • format—Specifies the format of syslog messages.

      Possible values:

      • cef—Specifies the CEF format of syslog messages.
      • raw—Specifies the RAW format of syslog messages. The raw value is used when the value specified in this element is not cef or raw, or no value is specified in this element, or if the logging configuration file does not contain the SyslogFormat parameter.

    Syslog may have the following child element:

    • LoggedEvent—Specifies events to be logged.

      It is allowed to specify multiple LoggedEvent values. Each of these values sets the type of event that will be logged into the location specified in the destination attribute.

      Possible values:

      • Audit—Specifies system audit events.
      • Init—Specifies service initialization events.
      • Deinit—Specifies service deinitialization events and watchdog events.
      • Update—Specifies antivirus database update and reload events.
      • License—Specifies license-related events.
      • Engine—Specifies antivirus engine events. These events may be published frequently.
      • ScanResultClean—Specifies scan completion events when scanned object considered clean.
      • ScanResultDetect—Specifies scan completion events when threat was detected.
      • ScanResultOther—Specifies scan completion events when object was not scanned.

      If the Syslog element does not contain the LoggedEvent child element, all the ICAP events logged.

      If the Syslog settings are incorrect, logging to the specified destination will be disabled.

      When syslog logging is enabled, system audit is enabled as well. If none of the SyslogEvents elements contains the Audit event, system audit settings are set as follows: SyslogFormat is set to raw, SyslogTarget is set to localhost, and SyslogEvents is set to audit.

Kaspersky Scan Engine can write debug logs and send syslog messages at the same time or separately.

Structure of the logging configuration file

Following is an example of a logging configuration file:

<?xml version="1.0"?> <Logging> <DebugLogging> <Level>debug</Level> <File size_limit="10" folder="./logs/scanevents" clear_folder="1"/> </DebugLogging> <SyslogLogging> <SyslogEnabled>1</SyslogEnabled> <Syslog destination="udp://192.168.1.1" format="cef"> <LoggedEvent>ScanResultClean</LoggedEvent> <LoggedEvent>ScanResultDetect</LoggedEvent> </Syslog> <Syslog destination="localhost" format="raw"> <LoggedEvent>ScanResultOther</LoggedEvent> </Syslog> <Syslog destination="/opt/kav/sdk8l3/logs" format="raw"> <LoggedEvent>Audit</LoggedEvent> <LoggedEvent>Engine</LoggedEvent> </Syslog> </SyslogLogging> </Logging>

Page top