config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_command_line contains "/var/log/syslog" and 
 ((action_process_image_path contains "/rm" and 
 (action_process_image_command_line in ("* -r *", "* -f *", "* -rf *", "*/var/log/syslog*"))) or 
 action_process_image_path contains "/unlink" or 
 action_process_image_path contains "/mv" or 
 (action_process_image_path contains "/truncate" and 
 (action_process_image_command_line contains "0 " and 
 action_process_image_command_line contains "/var/log/syslog") and 
 (action_process_image_command_line in ("*-s *", "*-c *", "*--size*"))) or 
 (action_process_image_path contains "/ln" and 
 (action_process_image_command_line contains "/dev/null " and 
 action_process_image_command_line contains "/var/log/syslog") and 
 (action_process_image_command_line in ("*-sf *", "*-sfn *", "*-sfT *"))) or 
 (action_process_image_path contains "/cp" and 
 action_process_image_command_line contains "/dev/null") or 
 (action_process_image_path contains "/shred" and 
 action_process_image_command_line contains "-u "))) or 
 ((action_process_image_command_line in ("* > /var/log/syslog*", "* >/var/log/syslog*", "* >| /var/log/syslog*", "*: > /var/log/syslog*", "*:> /var/log/syslog*", "*:>/var/log/syslog*", "*>|/var/log/syslog*")) or 
 (action_process_image_command_line in ("*journalctl --vacuum*", "*journalctl --rotate*")))))