Splunk Search

Is there a search that can be used to determine if Linux logs have been cleared or deleted?

SplunkLunk
Path Finder

Greetings,

In Windows, there's a nice EventID you can query to see when system, application, or security event logs have been cleared. I use that to alert me since it could indicate malicious behavior. Is there anything similar anyone is using for Linux based systems? Just curious if there is an alert I could setup to warn of potential malicious activity related to log modification. Thanks for any advice.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@SplunkLunk - Did the answer provided by troyward help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

troyward
Explorer

Linux doesn't generate an event like Windows and unlike Windows, you are able to just open the log file directly and edit it. Like @adonio mentioned, you can look through the bash history but that is pretty easy to take care of also from an attacker perspective. If you are worried about a mass delete of the log file, then you could possibly just compare over time the number of events in the log file and if you see a decrease, that would be a warning. If you are worried about just one or two lines being removed though that would be substantially harder and in all honesty I can't think of a good way to do that. This this is a serious concern of yours this is exactly why we have syslog servers. The other option is to setup a splunk forwarder on the box and just have it forward all log traffic to splunk for indexing.

0 Karma

adonio
Ultra Champion

Hi SplunkLunk,
you can track commands via bash.history monitoring and look for rm or vi and the log or files and directories you want to keep an eye on

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...