In Windows, there's a nice EventID you can query to see when system, application, or security event logs have been cleared. I use that to alert me since it could indicate malicious behavior. Is there anything similar anyone is using for Linux based systems? Just curious if there is an alert I could setup to warn of potential malicious activity related to log modification. Thanks for any advice.
@SplunkLunk - Did the answer provided by troyward help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
Linux doesn't generate an event like Windows and unlike Windows, you are able to just open the log file directly and edit it. Like @adonio mentioned, you can look through the bash history but that is pretty easy to take care of also from an attacker perspective. If you are worried about a mass delete of the log file, then you could possibly just compare over time the number of events in the log file and if you see a decrease, that would be a warning. If you are worried about just one or two lines being removed though that would be substantially harder and in all honesty I can't think of a good way to do that. This this is a serious concern of yours this is exactly why we have syslog servers. The other option is to setup a splunk forwarder on the box and just have it forward all log traffic to splunk for indexing.