Logging Configuration Changes on Linux Host
Detect changes of syslog daemons configuration files
Sigma rule (View on GitHub)
1title: Logging Configuration Changes on Linux Host
2id: c830f15d-6f6e-430f-8074-6f73d6807841
3status: test
4description: Detect changes of syslog daemons configuration files
5references:
6 - self experience
7author: Mikhail Larin, oscd.community
8date: 2019/10/25
9modified: 2021/11/27
10tags:
11 - attack.defense_evasion
12 - attack.t1562.006
13logsource:
14 product: linux
15 service: auditd
16detection:
17 selection:
18 type: 'PATH'
19 name:
20 - /etc/syslog.conf
21 - /etc/rsyslog.conf
22 - /etc/syslog-ng/syslog-ng.conf
23 condition: selection
24fields:
25 - exe
26 - comm
27 - key
28falsepositives:
29 - Legitimate administrative activity
30level: high
References
Related rules
- Auditing Configuration Changes on Linux Host
- Clear Linux Logs
- Connection Proxy
- File Deletion
- File or Folder Permissions Change