Regardless of whether they are encrypted, the server can digitally sign log files to
provide a means of verifying that the content has not been altered in any way. This can be
controlled by the sign-log
property in the configuration for each
logger.
Rather than signing log files as a whole, the server signs groups of one or more messages. Each time it writes a set of log messages to disk, a signature is generated for that set of messages. In the event that log messages are altered, or a set of messages are removed from the file, this provides a more fine-grained method for determining which content is trustworthy and which is not. Signature information can also carry over between rotated log files, so it is possible to determine if an entire log file has been removed.
The validate-file-signature tool can be used to verify the signatures in a log file to confirm that the content has not been altered. This tool supports the following arguments.
Argument | Description |
---|---|
|
Specifies the path to the file whose signature should be validated. If a chain of log files should be validated, then this should be the most recent file in the chain. |
|
Specifies the path to a file containing the passphrase that was used to encrypt the file contents. This should not be necessary if the file was encrypted with a key from the encryption settings database and that key is still accessible. If this argument is not provided and the encryption passphrase cannot be automatically retrieved, then the tool interactively prompts for the passphrase. |
|
Indicates that the tool should validate a chain of log files. It
starts with the file specified by the Note:
When the server is restarted, it cannot continue using the same signature chain that it was using before the restart, so the process of validating a chain automatically stops when it encounters a server restart. |
|
Specifies the maximum number of log files in the chain that should be validated. By default, the tool attempts to verify as much of the chain as possible. |
|
Specifies the minimum length of the time span that should be covered by the log content when validating a chain of files. If this is specified, then its value should be given as an integer followed by a time unit (for example, “10 minutes” or “1 day”), and the tool tries to iterate backwards through files in the chain until at least this length of time has been covered. |
|
Indicates that the tool should ignore errors that can arise if a log file contains multiple signed blocks. This can happen if the server was restarted and the logger is configured to append to any existing log file rather than rotating it and starting with a fresh log file. |
|
Indicates that the tool should ignore an error if the target log file does not end with valid signature information. This might happen when trying to validate the active log file with the server still online. |
|
Indicates that the tool should ignore an error caused by attempting to follow a log file chain when a file indicates that it was created after rotating from an earlier log file, but that earlier log file does not exist. This might happen if the older log file has been deleted by log retention processing. |