Tomcat WebServer Logs Deleted

Jan 1, 2024 · attack.defense_evasion attack.t1070 ·

Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence

Sigma rule (View on GitHub)

 1title: Tomcat WebServer Logs Deleted
 2id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
 3status: test
 4description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
 5references:
 6    - Internal Research
 7    - https://linuxhint.com/view-tomcat-logs-windows/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/02/16
10tags:
11    - attack.defense_evasion
12    - attack.t1070
13logsource:
14    category: file_delete
15    product: windows
16detection:
17    selection:
18        TargetFilename|contains|all:
19            - '\Tomcat'
20            - '\logs\'
21        TargetFilename|contains:
22            - 'catalina.'
23            - '_access_log.'
24            - 'localhost.'
25    condition: selection
26falsepositives:
27    - During uninstallation of the tomcat server
28    - During log rotation
29level: medium

References

Internal Research

Read More
How Do I View Tomcat Logs in Windows?

Apache Tomcat allows you to configure logging settings for the main web server and the java applications. Using apache logs, you can monitor how the server and your applications are running. Tomcat uses a customized implementation of the JULI provided in the java.util.logging package. How to view Tomcat Logs in Windows is explained in this article.

Read More

Tomcat WebServer Logs Deleted

Sigma rule (View on GitHub)

References

Internal Research

How Do I View Tomcat Logs in Windows?

Related rules