Attempt to Disable Syslog Serviceedit

Identifies attempts to disable the syslog service, a technique adversaries can use to disrupt event logging and evade detection by security controls.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100


  • Elastic
  • Linux

Version: 1

Added (Elastic Stack release): 7.8.0

Rule queryedit

event.action:(executed or process_started) and ((
and process.args:stop) or ( and
process.args:off) or ( and process.args:(disable
or stop or kill))) and process.args:(syslog or rsyslog or "syslog-ng")

Threat mappingedit