Is there a search that can be used to determine if...

SplunkLunk · ‎01-12-2017

Greetings,

In Windows, there's a nice EventID you can query to see when system, application, or security event logs have been cleared. I use that to alert me since it could indicate malicious behavior. Is there anything similar anyone is using for Linux based systems? Just curious if there is an alert I could setup to warn of potential malicious activity related to log modification. Thanks for any advice.

aaraneta_splunk · ‎04-20-2017

@SplunkLunk - Did the answer provided by troyward help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

troyward · ‎02-25-2017

Linux doesn't generate an event like Windows and unlike Windows, you are able to just open the log file directly and edit it. Like @adonio mentioned, you can look through the bash history but that is pretty easy to take care of also from an attacker perspective. If you are worried about a mass delete of the log file, then you could possibly just compare over time the number of events in the log file and if you see a decrease, that would be a warning. If you are worried about just one or two lines being removed though that would be substantially harder and in all honesty I can't think of a good way to do that. This this is a serious concern of yours this is exactly why we have syslog servers. The other option is to setup a splunk forwarder on the box and just have it forward all log traffic to splunk for indexing.

adonio · ‎02-24-2017

Hi SplunkLunk,
you can track commands via bash.history monitoring and look for rm or vi and the log or files and directories you want to keep an eye on

Is there a search that can be used to determine if Linux logs have been cleared or deleted?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk