--- title: Configuring log signing description: PingDirectory servers support the ability to cryptographically sign a log to ensure that it has not been modified. For example, financial institutions require tamper-proof audit logs files to ensure that transactions can be properly validated and ensure that they have not been modified by a third-party entity or internally by an unauthorized person. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdatasync_server_administration_guide:pd_sync_config_log_signing canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdatasync_server_administration_guide/pd_sync_config_log_signing.html revdate: September 13, 2023 section_ids: about-this-task: About this task steps: Steps --- # Configuring log signing ## About this task PingDirectory servers support the ability to cryptographically sign a log to ensure that it has not been modified. For example, financial institutions require tamper-proof audit logs files to ensure that transactions can be properly validated and ensure that they have not been modified by a third-party entity or internally by an unauthorized person. When enabling signing for a logger that already exists, the first log file will not be completely verifiable because it still contains unsigned content from before signing was enabled. Only log files whose entire content was written with signing enabled will be considered completely valid. For the same reason, if a log file is still open for writing, then signature validation will not indicate that the log is completely valid because the log will not include the necessary "end signed content" indicator at the end of the file. To validate log file signatures, use the `validate-file-signature` tool provided in the `bin` directory of the server (or the `bat` directory on Windows systems). After this property has been enabled, disable and then re-enable the log publisher for the changes to take effect. Perform the following steps to configure log signing: ## Steps 1. Use `dsconfig` to enable log signing for a Log Publisher. In this example, set the `sign-log` property on the File-based Audit Log Publisher. ```shell $ bin/dsconfig set-log-publisher-prop \ --publisher-name "File-Based Audit Logger" \ --set sign-log:true ``` 2. Disable and then re-enable the Log Publisher for the changes to take effect. ```shell $ bin/dsconfig set-log-publisher-prop \ --publisher-name "File-Based Audit Logger" \ --set enabled:false ``` ```shell $ bin/dsconfig set-log-publisher-prop \ --publisher-name "File-Based Audit Logger" \ --set enabled:true ``` 3. To validate a signed file, use the `validate-file-signature` tool to check if a signed file has been altered. ```shell $ bin/validate-file-signature --file logs/audit ``` ``` All signature information in file 'logs/audit' is valid ``` If any validation errors occur, a message displays that is similar to this: ``` One or more signature validation errors were encountered while validating the contents of file 'logs/audit': * The end of the input stream was encountered without encountering the end of an active signature block. The contents of this signed block cannot be trusted because the signature cannot be verified ```