Add SUSE.Linux.Events.NewZeroSizeLogFile artifact

SUSE / linux-security-sensor

Linux security sensor

Other

18 stars 9 forks source link

Add SUSE.Linux.Events.NewZeroSizeLogFile artifact #74

Closed djoreilly closed 5 months ago

djoreilly commented 9 months ago

This monitoring artifact collects new zero sized log files in /var/log.

djoreilly commented 9 months ago

We could also use ~~ctime~~ btime from stat() to ensure the file is really new. Not sure if the hashes of zero sized files are of any value. Update: btime from stat() is not working