topic Re: Is there a search that can be used to determine if Linux logs have been cleared or deleted? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-that-can-be-used-to-determine-if-Linux-logs/m-p/237252#M70514 <P>@SplunkLunk - Did the answer provided by troyward help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!</P> Fri, 21 Apr 2017 03:41:38 GMT aaraneta_splunk 2017-04-21T03:41:38Z Is there a search that can be used to determine if Linux logs have been cleared or deleted? https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-that-can-be-used-to-determine-if-Linux-logs/m-p/237249#M70511 <P>Greetings,</P> <P>In Windows, there's a nice EventID you can query to see when system, application, or security event logs have been cleared. I use that to alert me since it could indicate malicious behavior. Is there anything similar anyone is using for Linux based systems? Just curious if there is an alert I could setup to warn of potential malicious activity related to log modification. Thanks for any advice.</P> Thu, 12 Jan 2017 17:47:08 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-that-can-be-used-to-determine-if-Linux-logs/m-p/237249#M70511 SplunkLunk 2017-01-12T17:47:08Z Re: Is there a search that can be used to determine if Linux logs have been cleared or deleted? https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-that-can-be-used-to-determine-if-Linux-logs/m-p/237250#M70512 <P>Hi SplunkLunk,<BR /> you can track commands via bash.history monitoring and look for rm or vi and the log or files and directories you want to keep an eye on</P> Fri, 24 Feb 2017 18:30:50 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-that-can-be-used-to-determine-if-Linux-logs/m-p/237250#M70512 adonio 2017-02-24T18:30:50Z Re: Is there a search that can be used to determine if Linux logs have been cleared or deleted? https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-that-can-be-used-to-determine-if-Linux-logs/m-p/237251#M70513 <P>Linux doesn't generate an event like Windows and unlike Windows, you are able to just open the log file directly and edit it. Like @adonio mentioned, you can look through the bash history but that is pretty easy to take care of also from an attacker perspective. If you are worried about a mass delete of the log file, then you could possibly just compare over time the number of events in the log file and if you see a decrease, that would be a warning. If you are worried about just one or two lines being removed though that would be substantially harder and in all honesty I can't think of a good way to do that. This this is a serious concern of yours this is exactly why we have syslog servers. The other option is to setup a splunk forwarder on the box and just have it forward all log traffic to splunk for indexing.</P> Sat, 25 Feb 2017 17:00:12 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-that-can-be-used-to-determine-if-Linux-logs/m-p/237251#M70513 troyward 2017-02-25T17:00:12Z Re: Is there a search that can be used to determine if Linux logs have been cleared or deleted? https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-that-can-be-used-to-determine-if-Linux-logs/m-p/237252#M70514 <P>@SplunkLunk - Did the answer provided by troyward help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!</P> Fri, 21 Apr 2017 03:41:38 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-that-can-be-used-to-determine-if-Linux-logs/m-p/237252#M70514 aaraneta_splunk 2017-04-21T03:41:38Z