How can I or where can I find if anyone removed any log files on unix syslog server?
what are the sample unix commands that used to remove any log files?
The system logrotation itself can remove/rotate logs. So it makes it difficult to detect who actually removed the log files
You can implement audit in Linux systems and ensure the relevant files are monitored. You need to print-out auid, uid and all relevant information to detect who actually did modification or delete. Then you can onboard these audit data into Splunk
You can employ a professional software (File Integrity monitor) software to check actions for specific file
A cheap option is to detect file changes by writing a simple shell script and packaging this as a "scripted inputs" app to find file modified time, file creation time etc. A sample script is provided in this link and onboard into Splunk
The system logrotation itself can remove/rotate logs. So it makes it difficult to detect who actually removed the log files
You can implement audit in Linux systems and ensure the relevant files are monitored. You need to print-out auid, uid and all relevant information to detect who actually did modification or delete. Then you can onboard these audit data into Splunk
You can employ a professional software (File Integrity monitor) software to check actions for specific file
A cheap option is to detect file changes by writing a simple shell script and packaging this as a "scripted inputs" app to find file modified time, file creation time etc. A sample script is provided in this link and onboard into Splunk
