How to track what has removed the virtual host configuration files from your

[Suhitha]

Question

How to record and find what has removed the vhost configuration files from your Plesk server?

How to track what has deleted the vhost configuration files from your Plesk server?


Answer

The auditd tool can be used to record the events surrounding files in a specific directory.

• After the tool has been installed as instructed here, you may create a directory change monitoring setup for one or more vhosts by following these steps:

1.Log into the server via SSH as root.

2.Configure the monitoring rules for the needed directories with:

Code Select Expand

auditctl -w /var/www/vhosts/system/example.com/conf/ -p war
auditctl -w /var/www/vhosts/system/example.net/conf -p war
auditctl -w /var/www/vhosts/system/example.org/conf/ -p war
auditctl -w /etc/httpd/conf/plesk.conf.d/vhosts/ -p war
3.Wait until the issue reappears, the events related to the removed files should be logged and searchable through the auditd logs as on the following example:

# ausearch -f example.com | grep chmod

The results indicate what exactly has removed the mentioned files from your server.