Enable the audit log for directory /var/log/cassandra on a Cassandra node
Add below rule for the directory to audit, here we are search for deleted files under /var/log/cassandra directory.
sudo vi /etc/audit/rules.d/audit.rules
-a always,exit -F dir=/var/log/cassandra -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete_var
sudo service auditd restart
Verify rules: sudo auditctl -l
Verify: sudo ausearch -k delete_var
***
No comments:
Post a Comment