Azure Sentinel integrate with Linux logs

%3CLINGO-SUB%20id%3D%22lingo-sub-1399844%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20integrate%20with%20Linux%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1399844%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3EI%20would%20like%20to%20see%20if%20there%20is%20a%20way%20to%20query%20%22%3CSTRONG%3EEvent%20Log%20Cleared%22%20on%20Linux%3C%2FSTRONG%3E%20%3CSTRONG%3Esystem(s)%2C%3C%2FSTRONG%3E%26nbsp%3Bin%20particular%2C%20what%20the%20events%20look%20like%20when%2Fafter%20being%20cleared%3F%26nbsp%3BFor%20example%2C%20for%20Windows%2C%20its%20EventID%201102%2C%20so%20I%20am%20curious%20to%20find%20out%20if%20there%20is%20something%20similar%20for%20Linux%20systems.%3C%2FP%3E%3CP%3EThank%20you!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1455698%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20integrate%20with%20Linux%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1455698%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F658617%22%20target%3D%22_blank%22%3E%40bluelogik%3C%2FA%3E%26nbsp%3B%3A%20logs%20are%20stored%20in%20files%20in%20Linux%20and%20I%20believe%20the%20%221102%22%20for%20Linux%20would%20be%20a%20file%20delete%20event%20for%20those%20files%20(usually%20in%20%2Fvar%2Flog).%20How%20to%20monitor%20file%20activity%20events%20in%20Linux%20is%20a%20large%20topic%20and%20would%20depend%20on%20your%20Linux%20distro.%20A%20good%20starting%20point%20is%20%3CA%20href%3D%22https%3A%2F%2Fwww.infoq.com%2Farticles%2Finotify-linux-file-system-event-monitoring%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

Hello everyone,

I would like to see if there is a way to query "Event Log Cleared" on Linux system(s), in particular, what the events look like when/after being cleared? For example, for Windows, its EventID 1102, so I am curious to find out if there is something similar for Linux systems.

Thank you! 

1 Reply
Highlighted

@bluelogik : logs are stored in files in Linux and I believe the "1102" for Linux would be a file delete event for those files (usually in /var/log). How to monitor file activity events in Linux is a large topic and would depend on your Linux distro. A good starting point is this.