- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

pavanae
Builder
05-17-2019
11:05 AM
Base query :- sourcetype=syslog
How can I or where can I find if anyone removed any log files on unix syslog server?
what are the sample unix commands that used to remove any log files?
Any inputs would be highly appriciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

koshyk
Super Champion
05-17-2019
11:54 AM
Your question is very broad.
- The system logrotation itself can remove/rotate logs. So it makes it difficult to detect who actually removed the log files
- You can implement audit in Linux systems and ensure the relevant files are monitored. You need to print-out auid, uid and all relevant information to detect who actually did modification or delete. Then you can onboard these audit data into Splunk
- You can employ a professional software (File Integrity monitor) software to check actions for specific file
- A cheap option is to detect file changes by writing a simple shell script and packaging this as a "scripted inputs" app to find file modified time, file creation time etc. A sample script is provided in this link and onboard into Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

koshyk
Super Champion
05-17-2019
11:54 AM
Your question is very broad.
- The system logrotation itself can remove/rotate logs. So it makes it difficult to detect who actually removed the log files
- You can implement audit in Linux systems and ensure the relevant files are monitored. You need to print-out auid, uid and all relevant information to detect who actually did modification or delete. Then you can onboard these audit data into Splunk
- You can employ a professional software (File Integrity monitor) software to check actions for specific file
- A cheap option is to detect file changes by writing a simple shell script and packaging this as a "scripted inputs" app to find file modified time, file creation time etc. A sample script is provided in this link and onboard into Splunk
