[ https://issues.jboss.org/browse/JBDS-4443?page=com.atlassian.jira.plugin.... ] Lukáš Valach commented on JBDS-4443: ------------------------------------ My idea is to setup monitoring on wonka server. If there is selinux enabled, the auditing could be setup to log all write acces to some file. This way, we can find which user deleted the file and from which IP they was connected. {code} sudo auditctl -w /tmp/compositeArtifacts.xml -p w -k whodeletedit touch /tmp/compositeArtifacts.xml cat -v /var/log/audit/audit.log | grep whodeletedit # Output: # type=CONFIG_CHANGE msg=audit(1497250106.146:799): auid=1001 ses=6 op=updated_rules path="/tmp/compositeArtifacts.xml" key="whodeletedit" list=4 res=1 # Then we can get user name from "auid": getent passwd 1001 # Output: # testuser1001:1001::/home/testuser:/bin/bash # The "msg=audit" contains a date in milisecond, we can convert it to readable form date -d @1497250106.146 # Output: # Mon 12 Jun 08:48:26 CEST 2017 # Then we can find IP address from which users was connected using this command journalctl _COMM=sshd | grep testuser # Output: # Jun 12 08:42:55 dhcp-10-40-5-149.brq.redhat.com sshd[29048]: Accepted password for testuser from 127.0.0.1 port 54722 ssh2 {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)