Splunk Search

Is there a search that can be used to determine if Linux logs have been cleared or deleted?

Path Finder

Greetings,

In Windows, there's a nice EventID you can query to see when system, application, or security event logs have been cleared. I use that to alert me since it could indicate malicious behavior. Is there anything similar anyone is using for Linux based systems? Just curious if there is an alert I could setup to warn of potential malicious activity related to log modification. Thanks for any advice.

0 Karma

Splunk Employee
Splunk Employee

@SplunkLunk - Did the answer provided by troyward help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

Explorer

Linux doesn't generate an event like Windows and unlike Windows, you are able to just open the log file directly and edit it. Like @adonio mentioned, you can look through the bash history but that is pretty easy to take care of also from an attacker perspective. If you are worried about a mass delete of the log file, then you could possibly just compare over time the number of events in the log file and if you see a decrease, that would be a warning. If you are worried about just one or two lines being removed though that would be substantially harder and in all honesty I can't think of a good way to do that. This this is a serious concern of yours this is exactly why we have syslog servers. The other option is to setup a splunk forwarder on the box and just have it forward all log traffic to splunk for indexing.

0 Karma

SplunkTrust
SplunkTrust

Hi SplunkLunk,
you can track commands via bash.history monitoring and look for rm or vi and the log or files and directories you want to keep an eye on

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!