diff --git a/rules/linux/lnx_clear_syslog.yml b/rules/linux/lnx_clear_syslog.yml
new file mode 100644
index 000000000..4ca3a5a26
--- /dev/null
+++ b/rules/linux/lnx_clear_syslog.yml
@@ -0,0 +1,27 @@
+title: Clearing syslog
+id: e09eb557-96d2-4de9-ba2d-30f712a5afd3
+status: experimental
+description: Detects removal of the syslog
+author: Max Altgelt
+date: 2021/09/10
+references:
+    - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
+logsource:
+    product: linux
+detection:
+    selection:
+        - 'rm /var/log/syslog'
+        - 'rm -r /var/log/syslog'
+        - 'rm -f /var/log/syslog'
+        - 'rm -rf /var/log/syslog'
+        - 'mv /var/log/syslog'
+        - ' >/var/log/syslog'
+        - ' > /var/log/syslog'
+    falsepositives:
+        - '/syslog.'
+    condition: selection and not falsepositives
+falsepositives:
+    - Log rotation
+level: high
+tags:
+    - attack.persistence