Azure Sentinel integrate with Linux logs

Question

Hello everyone,I would like to see if there is a way to query "Event Log Cleared" on Linux system(s),&nbsp;in particular, what the events look like when/after being cleared?&nbsp;For example, for Windows, its EventID 1102, so I am curious to find out if there is something similar for Linux systems.Thank you!&nbsp;

ofer_shezaf · Answer

bluelogik&nbsp;: logs are stored in files in Linux and I believe the "1102" for Linux would be a file delete event for those files (usually in /var/log). How to monitor file activity events in Linux is a large topic and would depend on your Linux distro. A good starting point is this.

bluelogik · Answer

Ofer_Shezaf&nbsp;thank you!&nbsp;

consultant1520 · Answer

bluelogik : Were you able to develop any similar template for linux ?

Forum Discussion

Azure Sentinel integrate with Linux logs

3 Replies

Resources