Guides

Logs

bucketAV stores logs in a centralized location using CloudWatch Logs. You can configure the retention period for logs via the LogsRetentionInDays configuration parameter.

Query logs

To query the logs:

  1. Visit the Amazon CloudWatch Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Logs Insights.
  4. Select the bucketAV logs log group (if you followed the docs, the name starts with bucketav-Logs-).
  5. Select a date range.
  6. Enter the following query:
fields @timestamp, @message
| filter (@logStream like "/var/log/messages" and @message like "bucketav[") or @logStream like "/journald/bucketav.service"
| sort @timestamp desc
  1. Click Run query.

Learn more about the CloudWatch Logs Insights query syntax or discover the following sample queries.

All bucketAV logs

fields @timestamp, @message
| filter (@logStream like "/var/log/messages" and @message like "bucketav[") or @logStream like "/journald/bucketav.service"
| sort @timestamp desc

All system logs

fields @timestamp, @message
| filter not ((@logStream like "/var/log/messages" and @message like "bucketav[") or @logStream like "/journald/bucketav.service")
| sort @timestamp desc

Get the 100 largest files scanned

fields @timestamp
| filter (@logStream like "/var/log/messages" or @logStream like "/journald/bucketav.service") and @message like "s3://" and @message like "[download="
| parse "s3://*/* * * [download=*,scan=*,size=*]" as bucket, key, version, msg, download, scan, size
| sort size desc
| limit 100

Get total file size scanned by bucket

fields @timestamp
| filter (@logStream like "/var/log/messages" or @logStream like "/journald/bucketav.service") and @message like "s3://" and @message like "[download="
| parse "s3://*/* * * [download=*,scan=*,size=*]" as bucket, key, version, msg, download, scan, size
| stats count() as files, sum(size) as total by bucket

Get all unscannable files

fields @timestamp, @message
| filter (@logStream like "/var/log/messages" or @logStream like "/journald/bucketav.service") and (@message like "could not be scanned because it is" or @message like "does no longer exist" or @message like "not downloadable" or @message like "access denied")
| sort @timestamp desc

Export logs for bucketAV support

Please send us your AWS account ID and region first: hello@bucketav.com. We respond with the S3 bucket name and bucket prefix with your upload token required for exporting logs.

  1. Visit the Amazon CloudWatch Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Log groups.
  4. Click on the bucketAV logs log group (if you followed the docs, the name starts with bucketav-Logs-).
  5. Choose Actions, Export data to Amazon S3.
  6. Set From and To.
  7. Select Another account.
  8. Set S3 bucket name to our S3 bucket (reach out to hello@bucketav.com).
  9. Set the S3 bucket prefix to your upload token (reach out to hello@bucketav.com).
  10. Click Export.

Remote access fallback

If no logs show up in CloudWatch Logs, you can connect to one of the bucketAV EC2 instances and run the following commands to get the logs:

Amazon Linux 2023

Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.21.0, bucketAV for Amazon S3 powered by Sophos® version >= 2.15.0, bucketAV for Cloudflare R2 powered by ClamAV® version >= 2.1.0, or bucketAV for Cloudflare R2 powered by Sophos® version >= 2.2.0.
To update to the latest version, follow the Update Guide.

sudo -i
journalctl -u bucketav.service

Amazon Linux 2

sudo -i
grep 'bucketav' /var/log/messages

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email