Files not being scanned or delete

[mattBrzezinski]

Hi,

I just set up this project and finally managed to get it working. I uploaded the eicar.com file, and it seems like it's either not getting scanned or it is not being deleted.

I've looked through the CloudWatch logs but cannot seem to find anything in them that the file has been scanned.

In SQS I can see the message come through,

{"Records":[{"eventVersion":"2.0","eventSource":"aws:s3","awsRegion":"us-west-2","eventTime":"2017-12-14T22:08:20.406Z","eventName":"ObjectCreated:Put","userIdentity":{"principalId":"----"},"requestParameters":{"sourceIPAddress":"----"},"responseElements":{"x-amz-request-id":"18F6891473E7350B","x-amz-id-2":"Xkh0HVRCQbSFvwB+RNYkOzDshXqNvgCaS1DqrmgXOvotAoDolagw+Sg30yg0ulZ3tevFiyBtLEA="},"s3":{"s3SchemaVersion":"1.0","configurationId":"AV","bucket":{"name":"---","ownerIdentity":{"principalId":"AWVVKMUPSHO6I"},"arn":"----"},"object":{"key":"eicar.com","size":68,"eTag":"44d88612fea8a8f36de82e1278abb02f","sequencer":"005A32F6545BC81647"}}}]}

[michaelwittig]

HI @mattBrzezinski Can you check what you find in cloudwatch logs? E.g. in the /var/log/messages log stream?

[mattBrzezinski]

@michaelwittig this is what the logs show. They just repeat over time with these messages.

14:01:44
Dec 15 14:01:44 ip------ clamd[2982]: SelfCheck: Database status OK.
14:02:23
Dec 15 14:02:23 ip----- dhclient[2209]: XMT: Solicit on eth0, interval 109550ms.
14:04:12
Dec 15 14:04:12 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 109330ms.
14:06:02
Dec 15 14:06:02 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 126310ms.
14:08:08
Dec 15 14:08:08 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 130140ms.
14:10:18
Dec 15 14:10:18 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 115890ms.
14:11:41
Dec 15 14:11:41 ip------ dhclient[2108]: DHCPREQUEST on eth0 to 10.42.32.1 port 67 (xid=0x3e4feeb0)
14:11:41
Dec 15 14:11:41 ip------ dhclient[2108]: DHCPACK from 10.42.32.1 (xid=0x3e4feeb0)
14:11:41
Dec 15 14:11:41 ip------ dhclient[2108]: bound to 10.42.45.236 -- renewal in 1546 seconds.
14:11:41
Dec 15 14:11:41 ip------ ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/06:b1:39:9a:cc:56/local-ipv4s
14:11:41
Dec 15 14:11:41 ip------ ec2net: [rewrite_aliases] Rewriting aliases of eth0
14:11:44
Dec 15 14:11:44 ip------ clamd[2982]: SelfCheck: Database status OK.
14:12:14
Dec 15 14:12:14 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 119470ms.
14:14:14
Dec 15 14:14:14 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 124960ms.
14:16:19
Dec 15 14:16:19 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 128110ms.
14:18:27
Dec 15 14:18:27 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 123600ms.
14:20:31
Dec 15 14:20:31 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 126130ms.
14:21:44
Dec 15 14:21:44 ip------ clamd[2982]: SelfCheck: Database status OK.
14:22:37
Dec 15 14:22:37 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 113130ms.
14:24:30
Dec 15 14:24:30 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 130360ms.
14:26:41
Dec 15 14:26:41 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 128760ms.
14:28:50
Dec 15 14:28:50 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 118670ms.
14:30:48
Dec 15 14:30:48 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 119260ms.
14:31:44
Dec 15 14:31:44 ip------ clamd[2982]: SelfCheck: Database status OK.
14:32:48
Dec 15 14:32:48 ip------ dhclient[2209]: XMT: Solicit on eth0, interval 123250ms.

[michaelwittig]

do you have uploaded a file during the time of the log excerpt?

can you confirm that all SQS queues are empty before and after you uploaded a file to s3?