Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk query to list if anyone removed logs from unix server(syslog servers)?

pavanae
Builder
‎05-17-2019 11:05 AM

Base query :- sourcetype=syslog

How can I or where can I find if anyone removed any log files on unix syslog server?
what are the sample unix commands that used to remove any log files?

Any inputs would be highly appriciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-17-2019 11:54 AM

Your question is very broad.

  1. The system logrotation itself can remove/rotate logs. So it makes it difficult to detect who actually removed the log files
  2. You can implement audit in Linux systems and ensure the relevant files are monitored. You need to print-out auid, uid and all relevant information to detect who actually did modification or delete. Then you can onboard these audit data into Splunk
  3. You can employ a professional software (File Integrity monitor) software to check actions for specific file
  4. A cheap option is to detect file changes by writing a simple shell script and packaging this as a "scripted inputs" app to find file modified time, file creation time etc. A sample script is provided in this link and onboard into Splunk

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-17-2019 11:54 AM

Your question is very broad.

  1. The system logrotation itself can remove/rotate logs. So it makes it difficult to detect who actually removed the log files
  2. You can implement audit in Linux systems and ensure the relevant files are monitored. You need to print-out auid, uid and all relevant information to detect who actually did modification or delete. Then you can onboard these audit data into Splunk
  3. You can employ a professional software (File Integrity monitor) software to check actions for specific file
  4. A cheap option is to detect file changes by writing a simple shell script and packaging this as a "scripted inputs" app to find file modified time, file creation time etc. A sample script is provided in this link and onboard into Splunk
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...
Top