This detection rule identifies potential tampering with syslog forwarding configurations via the use of iptables or UFW on UNIX-like systems. Adversaries often attempt to evade detection by modifying or disabling security tools. In this case, they may utilize specific commands that alter the firewall configurations to block outgoing packets targeted at syslog ports, which could prevent critical logging information from reaching security monitoring systems. By implementing this rule, organizations can monitor for commands that include the terms 'iptables' and 'UFW', along with indications of blocking actions related to syslog ports such as 514 or 6514. The logic provided is designed to extract relevant events from endpoint data, filtering for those that resemble alterations to firewall configurations. The inclusion of both TCP and UDP protocols ensures a comprehensive analysis of potential tampering. Key indicators include the user, process, and associated timestamps, facilitating a thorough investigation of suspicious behaviors that may indicate attempts to compromise the integrity of logging mechanisms.