rsyslog

The rocket-fast system for log processing

[deprecated] How to sign log messages through signature provider Guardtime

By Adiscon SupportPosted on Posted in FAQTagged , , , , ,

Please note: This method is deprecated. Please refer to the new log signing method with KSI.

With rsyslog v7.3.9 we introduced the possibility to sign log messages through Guardtime, a signature provider. The process to enable this is relativey easy. And in the end you have your log files signed with a keyless signature that relies on hash functions through Guardtime. The signature functionality will be automatically loaded by omfile if so requested. It just requires that the signature provider itself is installed. For our RPMs and Ubuntu packages, it is available in the base packe. In the signature process a second file to your logfile will be created that has “.gtsig” as ending. This pair of files will later be needed to prove the integrity of your logfile.

In addition to rsyslog 7.3.9 or above you need “libgt”. The library is either available from Guardtime directly or from our git. If you installed rsyslog from our packages, libgt will be installed automatically.

When installing manually, you need to enable the signature function. The most basic configure command looks like this:

./configure --prefix=/usr --enable-guardtime

When rsyslog is installed, you can use the Guardtime signatures easily with a few additional configuration directives. For detailed information about the configuration directives, please review the manual. The correct action would look like this:

action(type="omfile" file="/var/log/logfile"
                sig.provider="gt"
                sig.timestampService="http://user:password@stamper.guardtime.net/gt-signingservice"
                # Please contact Guardtime for authentication details
                sig.keepTreeHashes="on" 
                sig.keepRecordHashes="on")

The directive sig.provider determines the provider that will be used. Currently, only Guardtime (gt) is available, but other providers might be added in the future. The other two options control the granularity of signature hashes at the cost of disk space. Though, when trying to detect a security breach, it might come in handy as it enables you to spot the location of the security breach. You will receive two files, that share the same name, but have a different extension.

/var/log/logfile
/var/log/logfile.gtsig

When having rsyslog installed you get a new tool called “rsgtutil”. This will help you check the integrity of your logfile in conjunction with the signature file. By issuing

tools/rsgtutil --verify --show-verified /var/log/logfile

you can make an easy check if the logfile is matching the stored hash. If the check was successful you will see it directly. If not, you will be notified as well and further investigation will be necessary.

Please note:

The Guardtime KSI service has been upgraded to mitigate DOS attacks by adding user authentication. Please contact Guardtime for more information.

rsyslog 7.3.9 (v7-devel) released

By adisconteamPosted on Posted in News, Release AnnouncementTagged , , , , , , ,

We have just released v 7.3.9 of the rsyslog development branch. The most important feature of this release is the capability to digitally sign log files. This is done via RFC3161. It also contains some other feature enhancements as well as bug fixes. Note that 7.3.9 is almost feature-complete and can be considered a beta. It is our goal to release a new v7.4 stable within the next few weeks.

ChangeLog:

http://www.rsyslog.com/changelog-for-7-3-9-v7-devel/

Download:

http://www.rsyslog.com/rsyslog-7-3-9-v7-devel/

As always, feedback is appreciated.

Best regards,
Tim Eifler

Changelog for 7.3.9 (v7-devel)

By adisconteamPosted on Posted in ChangelogTagged , , , , , , , ,

Version 7.3.9 [devel] 2013-03-27

  • support for signing logs added
  • imudp: now supports user-selectable inputname
  • omlibdbi: now supports transaction interface
    if recent enough lbdbi is present
  • imuxsock: add ability to NOT create/delete sockets during startup and
    shutdown
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=259
  • imfile: errors persisting state file are now reported
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=292
  • imfile: now detects file change when rsyslog was inactive
    Previosly, this case could not be detected, so if a file was overwritten
    or rotated away while rsyslog was stopped, some data was missing. This
    is now detected and the new file being forwarded right from the
    beginning.
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=228
  • updated systemd files to match current systemd source
  • bugfix: imudp scheduling parameters did affect main thread, not imudp
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=409
  • bugfix: build problem on platforms without GLOB_NOMAGIC
  • bugfix: build problems on non-Linux platforms
  • bugfix: stdout/stderr were not closed on forking
    but were closed when running in the forground – this was just reversed
    of what it should be. This is a regression of a recent change.

rsyslog 7.3.8 (v7-devel) released

By adisconteamPosted on Posted in News, Release AnnouncementTagged , , , , , , , ,

We have just released v 7.3.8 of the rsyslog development branch. The new version supports specifying IPv4/v6 only fo imrelp. Other than that, it is a bug-fixing release.

ChangeLog:

http://www.rsyslog.com/changelog-for-7-3-8-v7-devel/

Download:

http://www.rsyslog.com/rsyslog-7-3-7-v8-devel/

As always, feedback is appreciated.

Best regards,
Tim Eifler

rsyslog 7.3.7 (v7-devel) released

By Adiscon SupportPosted on Posted in News, Release AnnouncementTagged , , , , , , , , , ,

We have just released v 7.3.7 of the rsyslog development branch. This release offers some important new features, most importantly a plugin to anonymize IPv4 addresses and a plugin to write to the systemd journal. Also, the field() RainerScript function has been upgraded to support multi-character field delimiters. There is also a number of bug fixes present.

ChangeLog:

http://www.rsyslog.com/changelog-for-7-3-7-v7-devel/

Download:

http://www.rsyslog.com/rsyslog-7-3-7-v7-devel/

As always, feedback is appreciated.

Best regards,
Florian Riedl

Changelog for 7.3.7 (v7-devel)

By Adiscon SupportPosted on Posted in ChangelogTagged , , , , , , , ,

Version 7.3.7  [devel] 2013-03-12

  • add support for anonymizing IPv4 addresses
  • add support for writing to the Linux Journal (omjournal)
  • imuxsock: add capability to ignore messages from ourselves
    This helps prevent message routing loops, and is vital to have if omjournal is used together with traditional syslog.
  • field() function now supports a string as field delimiter
  • added ability to configure debug system via rsyslog.conf
  • bugfix: imuxsock segfault when system log socket was used
  • bugfix: mmjsonparse segfault if new-style config was used
  • bugfix: script == comparison did not work properly on JSON objects
  • bugfix: field() function did never return “***FIELD NOT FOUND***”
    instead it returned “***ERROR in field() FUNCTION***” in that case
Scroll to top