Context:

We found one of environments that the files are getting deleted from /opt/ac60 directories. The files getting deleted seemed to be random. Sometime whole folders were deleted and sometimes it was few files in the folder.

What logging do we have enabled:
We enabled the audit rpm enabled on the servers.
audit-1.0.16-3.el4
audit-libs-1.0.16-3.el4
audit-libs-devel-1.0.16-3.el4
We started the Auditd services (service auditd start) and added the watch.

What logs do we have:
We did manage to get a few unlink and rmdir commands in the audit logs. Sample below:
type=PATH msg=audit(10/29/2009 09:30:44.295:63734) : name=/data/opt-linux-user/ac60/ac.ini.13_03_2008 flags=parent inode=16826370 dev=08:31 mode=dir,755 ouid=linux-user ogid=usergroup rdev=00:00
type=CWD msg=audit(10/29/2009 09:30:44.295:63734) : cwd=/home/linux-user
type=FS_INODE msg=audit(10/29/2009 09:30:44.295:63734) : inode=16826370 inode_uid=linux-user inode_gid=usergroup inode_dev=08:31 inode_rdev=00:00
type=FS_WATCH msg=audit(10/29/2009 09:30:44.295:63734) : watch_inode=16826370 watch=ac60 filterkey=cma_dir perm=read,write,append perm_mask=write,exec
type=SYSCALL msg=audit(10/29/2009 09:30:44.295:63734) : arch=i386 syscall=unlink success=yes exit=0 a0=8f05f18 a1=e28ef8 a2=e2a15c a3=8f05f18 items=1 pid=31813 auid=linux-user uid=linux-user gid=usergroup euid=linux-user suid=linux-user fsuid=linux-user egid=usergroup sgid=usergroup fsgid=usergroup comm=sftp-server exe=/usr/libexec/openssh/sftp-server
type=PATH msg=audit(10/29/2009 09:31:12.740:63751) : name=/data/opt-linux-user/ac60/audittrail flags=parent inode=16826370 dev=08:31 mode=dir,755 ouid=linux-user ogid=usergroup rdev=00:00
type=CWD msg=audit(10/29/2009 09:31:12.740:63751) : cwd=/home/linux-user
type=FS_INODE msg=audit(10/29/2009 09:31:12.740:63751) : inode=16826370 inode_uid=linux-user inode_gid=usergroup inode_dev=08:31 inode_rdev=00:00
type=FS_WATCH msg=audit(10/29/2009 09:31:12.740:63751) : watch_inode=16826370 watch=ac60 filterkey=cma_dir perm=read,write,append perm_mask=write,exec
type=SYSCALL msg=audit(10/29/2009 09:31:12.740:63751) : arch=i386 syscall=rmdir success=yes exit=0 a0=8f05f10 a1=e28ec7 a2=e2a15c a3=8f05f10 items=1 pid=31813 auid=linux-user uid=linux-user gid=usergroup euid=linux-user suid=linux-user fsuid=linux-user egid=usergroup sgid=usergroup fsgid=usergroup comm=sftp-server exe=/usr/libexec/openssh/sftp-server


Any help would be appreciated.

Well, since you've got user group, time the command was performed, you can look at the output of "last", to see who was logged in during the event. From there, you can look at their shell-history file, to see if they did anything (note: if they're logged in while you're looking, get them to log out, so the shell history will be written and up-to-date). Also, check the cron jobs, since something may be monitoring that directory, and doing a file purge, based on date/time stamps on the files.

Can any filesystem monitoring tool be helpful under this scenerio?

Not unless you write some custom code to take a 'snapshot' of the files/directories in question, write them to a log file, and use something like logwatch to see when it changes.

I am poor in writing script?
Anyone who can help me with this script/any tool?

As we tell everyone...we can HELP you, but aren't going to write it FOR you. There are lots of bash tutorials available through Google, that can help get you started.

After you get something going, come back and post what you've written, and where you're getting stuck.

Better to start your own thread.