You should not parse the apache logfile. You should use the admin_audit logfile instead.
The good part of the audit logfile is, that it is in json format, which means that it is extremely good to handle. → The command-line JSON processor jq ← is needed for this.
you must → activate the audit logfile ← (as a file, not in syslog). Then you can monitor all file deletions without any false positives.
Here an example to obtain a list of all deleted files since ‘yesterday 00:00:00’ in your local timezone:
LOGFILE="/path/to/audit.log"
START_DATE="$(date -d 'yesterday 00:00:00' +%Y-%m-%dT%H:%M:%S%z)"
jq --arg start "$START_DATE" '
select(.method == "DELETE" and (.time | strptime("%Y-%m-%dT%H:%M:%S%z") | mktime >= ($start | strptime("%Y-%m-%dT%H:%M:%S%z") | mktime))) |
[.time, .remoteAddr, .user, .url, .message, .userAgent] | join(" - ")
' "$LOGFILE"
Instead of ‘yesterday 00:00:00’, you can use ‘2 days ago 00:00:00’ or ‘last week 00:00:00’
(These alternatives are detailed in the “Date input formats” section found in the info date documentation.)
This commands in a little script, invoked by a cron-job and you have your daily list of deleted files.
Maybe you want to combine it with logrotate, as a “prerotate” job and if you rotate on a daily basis, you do not need the time calculation as in my example, which makes the jq command a lot easier.
→ Here ← I explained some more about filtering the audit.log with jq.
Much and good luck,
ernolf