Question
How to record and find what has removed the vhost configuration files from your Plesk server?
How to track what has deleted the vhost configuration files from your Plesk server?
Answer
The auditd tool can be used to record the events surrounding files in a specific directory.
-
After the tool has been installed as instructed here, you may create a directory change monitoring setup for one or more vhosts by following these steps:
-
Log into the server via SSH as root.
-
Configure the monitoring rules for the needed directories with:
CONFIG_TEXT: auditctl -w /var/www/vhosts/system/example.com/conf/ -p war
auditctl -w /var/www/vhosts/system/example.net/conf -p war
auditctl -w /var/www/vhosts/system/example.org/conf/ -p war
auditctl -w /etc/httpd/conf/plesk.conf.d/vhosts/ -p war -
Wait until the issue reappears, the events related to the removed files should be logged and searchable through the auditd logs as on the following example:
# ausearch -f example.com | grep chmod
The results indicate what exactly has removed the mentioned files from your server.
-
Comments
0 comments
Please sign in to leave a comment.