4

I have a folder on my RHEL 9 server that gets deleted every few days, but I don’t know which process or user is responsible.

I’d like to log all events related to this folder, particularly deletions.

I came across a tool called auditd, which seems like it could help, but I'm not sure how to configure it to monitor this specific folder.

Is auditd the best option for this task, or is there a better tool or script I could use to track and log deletions?

Is this enough?

auditctl -w /path/to/myfolder -p rwa -k rule_watch_folder
Improve this question

1 Answer 1

Reset to default
8
auditd

For your use case for detecting and logging file deletions on RHEL, auditd is the right choice, it is robust, already available, and secure.

Add a watch rule:

sudo auditctl -w /path/to/myfolder/ -p wa -k folder_monitor

Autitd produces logs, syslog and journald collect them

Make the rule persistent and restart auditd.

inotifywait

If you prefer something simpler, you could use inotifywait but it is less robust.

auditbeat

There is also auditbeat, it's more flexible and integrates with ELK stack, but heavier and not default on RHEL.

Just try and test all three and decide for yourself which one works best for you.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.