McAfee VirusScan FTP Log
Database Reporting with Perl

This is just some easy Perl stuff that pulls info from FTP server logs on a Linux box and puts it into a DBF database. It uses DBI, so changing database backends is easy. Probably pretty portable, but may need to be adjusted for FTP log formats (used with vsftpd and wuftp logs so far).

Prerequisites

Perl Most Linux distributions come with it, though you may have to install DBI and DBD::XBase modules.

vsftpd A very secure ftp server. Available as a package for Red Hat distributions since RHL9.

Distributables

mvs_reports-0.06.tgz The contents listed below in a convenient bundle.

All versions of the above convenient bundle.

Contents

mvs-log-db.pl Processes log files listed on the command line and inserts the McAfee VirusScan specific download information into the database. The database is located at '$HOME/mvs_reports/mvs_db/' and the table file is '$HOME/mvs_reports/mvs_db/mvslog.dbf'. This needs to be run on a regular basis (before the log files are rotated into /dev/null) and right before dumping or reporting. Duplicate log entries are recognized and not inserted into the database more than once.

mvs-dump-db.pl Dumps the database to the screen. For trouble shooting and to see what else can be reported.

mvs-report-db.pl Processes the data in the database and prints out the latest virus definition number for each unique machine and IP address combination. The "machine" comes directly from the password give for the anonymous connection, so 7.1 enterprise clients have to be configured to provide this info (or they give something useless: "anonymous@mcafeeb2b.com"). The 4.5.1 client gives "Administrator@MACHINENAME" or "SYSTEM@MACHINENAME" (everything up to and including the "@" is stripped by 'mvs-log-db.pl'), so those work out alright if the machines names are meaningful.

mvs-web-db.pl Creates the web page for display of the database information. This is run by 'web-av'.

report-av Cron script for executing the log processing and reporting on a regular basis suitable for email.

web-av Cron script for executing the log processing and reporting on a regular basis to an HTML page. This may need to be modified so that the output HTML file goes into the correct location.

web-av.js A javascript file to make the HTML report display in a flexible manner. This goes in the HTML output file directory.

web-av.css A CSS file to make the HTML report display in a flexible manner. This goes in the HTML output file directory.

Run As An Unprivileged User
To run this process as a unprivileged user (instead of 'root'), which I do recommend, you will have to change group membership and permissions on the FTP daemon log files:
chgrp myuser /var/log/vsftpd.log* /var/log/xferlog*
chmod g+r /var/log/vsftpd.log* /var/log/xferlog*
and make sure logrotate maintains the correct membership and permissions when it rotates the logs by adding this into the /etc/logrotate.d/vsftpd.log configuration file:
create 0640 root myuser
between the braces for /var/log/xferlog or /var/log/vsftpd.log [1].
Miscellaneous Scripts

mvs-get-updates.sh Cron script for getting latest virus definition files. Run every day, or whenever you want to check for new virus definition files (while refraining from overloading the vendors FTP server). By pointing your antivirus clients at a local server, you can not only track which clients update, at what intervals, and current status (using the above tools), but you can save Internet bandwidth (more valuable to those with more clients and/or expensive Internet access).

mvs-update-notify.pl Perl program for discovering and notifying the admin that a new antivirus definition file has arrived. Called from 'mvs-get-updates.sh'.

mvs-rm-old-updates.sh Cron script for removing the larger virus definition files to save space on the FTP server. Run less frequently, weekly for example.

mvs-rsync-host.sh Script for replicating virus definition directory to another local FTP server, to distribute load or to unload WAN links. Called at regular intervals from cron (perhaps every hour), immediately after 'mvs-get-updates.sh', or from the command line. This can keep multiple local FTP update servers up to date, while only pulling updates from the vendors FTP server on one of them.


Notes
[1] In some distributions, wufptd (Washington University FTP daemon) uses "xferlog" as it's log file and vsftpd (Very Secure FTP daemon) uses "vsftpd.log" as it's log file. The vsftpd package in some recent distributions (like Fedora Core 3) have used "xferlog" once again.

Troy Johnson www.jdmz.net