With rsyslog v7.3.9 we introduced the possibility to sign log messages through Guardtime, a signature provider. The process to enable this is relativey easy. And in the end you have your log files signed with a keyless signature that relies on hash functions through Guardtime. The signature functionality will be automatically loaded by omfile if so requested. It just requires that the signature provider itself is installed. For our RPMs and Ubuntu packages, it is available in the base packe. In the signature process a second file to your logfile will be created that has ".gtsig" as ending. This pair of files will later be needed to prove the integrity of your logfile.
In addition to rsyslog 7.3.9 or above you need "libgt". The library is either available from Guardtime directly or from our git. If you installed rsyslog from our packages, libgt will be installed automatically.
When installing manually, you need to enable the signature function. The most basic configure command looks like this:
./configure --prefix=/usr --enable-guardtime
When rsyslog is installed, you can use the Guardtime signatures easily with a few additional configuration directives. For detailed information about the configuration directives, please review the manual. The correct action would look like this:
action(type="omfile" file="/var/log/logfile" sig.provider="gt" sig.keepTreeHashes="on" sig.keepRecordHashes="on")
The directive sig.provider determines the provider that will be used. Currently, only Guardtime (gt) is available, but other providers might be added in the future. The other two options control the granularity of signature hashes at the cost of disk space. Though, when trying to detect a security breach, it might come in handy as it enables you to spot the location of the security breach. You will receive two files, that share the same name, but have a different extension.
When having rsyslog installed you get a new tool called "rsgutil". This will help you check the integrity of your logfile in conjunction with the signature file. By issuing
tools/rsgutil --verify --show-verified /var/log/logfile
you can make an easy check if the logfile is matching the stored hash. If the check was successful you will see it directly. If not, you will be notified as well and further investigation will be necessary.