Tomcat WebServer Logs Deleted

calendar Aug 12, 2024 · attack.defense-evasion attack.t1070  ·
Share on: linkedin copy

Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence

Sigma rule (View on GitHub)

 1title: Tomcat WebServer Logs Deleted
 2id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
 3status: test
 4description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
 5references:
 6    - Internal Research
 7    - https://linuxhint.com/view-tomcat-logs-windows/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-02-16
10tags:
11    - attack.defense-evasion
12    - attack.t1070
13logsource:
14    category: file_delete
15    product: windows
16detection:
17    selection:
18        TargetFilename|contains|all:
19            - '\Tomcat'
20            - '\logs\'
21        TargetFilename|contains:
22            - 'catalina.'
23            - '_access_log.'
24            - 'localhost.'
25    condition: selection
26falsepositives:
27    - During uninstallation of the tomcat server
28    - During log rotation
29level: medium

References

  • Internal Research


    Read More

  • How Do I View Tomcat Logs in Windows?

    Apache Tomcat allows you to configure logging settings for the main web server and the java applications. Using apache logs, you can monitor how the server and your applications are running. Tomcat uses a customized implementation of the JULI provided in the java.util.logging package. How to view Tomcat Logs in Windows is explained in this article.


    Read More

Related rules

to-top