PingDirectory

Signing log files

Regardless of whether they are encrypted, the server can digitally sign log files to provide a means of verifying that the content has not been altered in any way. This can be controlled by the sign-log property in the configuration for each logger.

Rather than signing log files as a whole, the server signs groups of one or more messages. Each time it writes a set of log messages to disk, a signature is generated for that set of messages. In the event that log messages are altered, or a set of messages are removed from the file, this provides a more fine-grained method for determining which content is trustworthy and which is not. Signature information can also carry over between rotated log files, so it is possible to determine if an entire log file has been removed.

The validate-file-signature tool can be used to verify the signatures in a log file to confirm that the content has not been altered. This tool supports the following arguments.

Argument Description

--file

Specifies the path to the file whose signature should be validated. If a chain of log files should be validated, then this should be the most recent file in the chain.

--encryptionPassphraseFile

Specifies the path to a file containing the passphrase that was used to encrypt the file contents. This should not be necessary if the file was encrypted with a key from the encryption settings database and that key is still accessible. If this argument is not provided and the encryption passphrase cannot be automatically retrieved, then the tool interactively prompts for the passphrase.

--validateLogChain

Indicates that the tool should validate a chain of log files. It starts with the file specified by the --file argument, but if that file was created after rotating from a previous file, then it works its way backwards through the chain of log files.

When the server is restarted, it cannot continue using the same signature chain that it was using before the restart, so the process of validating a chain automatically stops when it encounters a server restart.

--numFiles

Specifies the maximum number of log files in the chain that should be validated. By default, the tool attempts to verify as much of the chain as possible.

--logDuration

Specifies the minimum length of the time span that should be covered by the log content when validating a chain of files. If this is specified, then its value should be given as an integer followed by a time unit (for example, “10 minutes” or “1 day”), and the tool tries to iterate backwards through files in the chain until at least this length of time has been covered.

--ignoreMultipleSignedBlocks

Indicates that the tool should ignore errors that can arise if a log file contains multiple signed blocks. This can happen if the server was restarted and the logger is configured to append to any existing log file rather than rotating it and starting with a fresh log file.

--ignoreMissingEndOfSignature

Indicates that the tool should ignore an error if the target log file does not end with valid signature information. This might happen when trying to validate the active log file with the server still online.

--ignoreMissingFile

Indicates that the tool should ignore an error caused by attempting to follow a log file chain when a file indicates that it was created after rotating from an earlier log file, but that earlier log file does not exist. This might happen if the older log file has been deleted by log retention processing.