SOLVED

Analysis of host data detected a large number of system log files being removed

%3CLINGO-SUB%20id%3D%22lingo-sub-1497801%22%20slang%3D%22en-US%22%3EAnalysis%20of%20host%20data%20detected%20a%20large%20number%20of%20system%20log%20files%20being%20removed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497801%22%20slang%3D%22en-US%22%3EAnalysis%20of%20host%20data%20detected%20a%20large%20number%20of%20system%20log%20files%20being%20removed%2C%20Suspicious%20Command%20Line%20%3A%20rm%20-f%20%2Fvar%2Flog%2Fsa%2Fsa18%20We%20are%20receiving%20these%20alerts%20in%20Azure%20Security%20Center%2C%20and%20post%20checking%20the%20logs%20on%20the%20server%20we%20found%20that%3A%201.)%20This%20is%20general%20working%20logic%20of%20system%20to%20remove%20old%20sar%20logs%20older%20than%20one%20month.%20So%20it%20is%20expected%20that%20system%20will%20delete%20old%20logs%20accordingly.%202.)%20Why%20we%20started%20receiving%20such%20alerts%20just%20few%20days%20back%20when%20this%20OS%20functionality%20is%20from%20day%201.%3C%2FLINGO-BODY%3E
Occasional Contributor
Analysis of host data detected a large number of system log files being removed, Suspicious Command Line : rm -f /var/log/sa/sa18 We are receiving these alerts in Azure Security Center, and post checking the logs on the server we found that: 1.) This is general working logic of system to remove old sar logs older than one month. So it is expected that system will delete old logs accordingly. 2.) Why we started receiving such alerts just few days back when this OS functionality is from day 1.
2 Replies
best response confirmed by ujjawalm (Occasional Contributor)
Solution

Hi @ujjawalm ,

Those alerts are result of a known temporal error in our system caused Azure Security Center to trigger alerts that shouldn't be triggered. The issue was mitigated successfully - you shouldn’t get such alerts anymore. I am very sorry for the inconvenient it caused – please feel free to ignore those alerts.

 

Thanks,

 

Tal Rosler,

Product Manager, Azure Security Center.