- Home
- Play books
- Syslog service interruption detection and response
Syslog service interruption detection and response
In this page
Playbook Description
This playbook retrieves user details, verifies known-user activity and IP legitimacy to verify the root cause of Syslog service interruptions. To remediate the interruptions, it blocks malicious IPs, terminates malicious processes, hardens and restricts services, disables and logs off compromised users, and isolates the host.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Credential Access(TA0006) | Impair Defenses(T1562) | Disable or Modify Linux Audit System(T1562.012) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Detect(D3-Detect) | Platform Monitoring(D3-PM) | System Daemon Monitoring(D3-SDM) |
Playbook input type
Alert
Dependencies
Utility functions:
- linux_detectMaliciousUser
- linux_validateUserLogs
- utility_getRequiredTime
- utility_sendMail
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| restartServices.sh | Checks the status of the rsyslog service and restarts it, returning the service status output and action results as JSON. | (none) |
| enableServiceHardening.sh | Applies systemd security hardening overrides to the rsyslogd service (PrivateTmp, ProtectSystem, ProtectHome, NoNewPrivileges, etc.) and reloads the systemd daemon. | - |
| fetchServicesUser.sh | Fetches sudo activity logs from journalctl since a given timestamp, filtering for service control operations (start/stop/restart/systemctl/rsyslog). | today |
| fetchUserDetails.sh | Fetches user identity details including UID/GID, group memberships, and sudo privileges by inspecting /etc/sudoers and /etc/sudoers.d/ — without invoking sudo | $.result_details.investigation.username.data |
| killProcess.sh | Terminates a running process by name using pkill -9 | $.result_details.investigation.username.data |
Execution workflow
Investigation:
- Fetches the user services.
- Fetches the user from logs.
Decision logic:
- Evaluates investigation findings and proceeds to remediation if malicious indicators are confirmed.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Validates the last logon and IP.
- Checks if the low disk space alert does not exist.
- Checks if the user does not have sudo privileges.
- Validates the user.
- Checks whether malicious.
- Terminates the session.
- Enables the Syslog service hardening.
- Checks and restarts Rsyslog service.
- Validates if all remediation actions are completed successfully.
- Builds the notification email with remediation details and findings.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Confirm that the Rsyslog service is running and logging events correctly.
- Investigate activities that occurred during the logging gap when syslog was interrupted.
- Review the user account that stopped the Syslog service for any additional suspicious activity.
- Audit Syslog configurations across the organization for similar tampering attempts.
- Consider implementing log forwarding to a centralized SIEM to prevent log tampering.
