slogverify - Verify cryptographically secured logs
slogverify [options] [input file]
[output file] [buffers]
The slogverify utility is used to verify the integrity of
cryptographically secured logs and to decrypt log entries produced in a
syslog-ng secure logging environment.
Normal mode: slogverify -k <host key file> -m <input
MAC file> <input file> <output file> [buffers]
Iterative mode: slogverify -i -p <previous host key> -r
<previous MAC> -m <current MAC> <input file> <output
file> [buffers]
input file
An encrypted log file from the syslog-ng secure logging
environment that will be verified.
output file
The file that will contain the plain text log entries
after decryption and verification.
buffers
Optional number of input buffers. The number of buffers
can be used for performance adjustments in case the log file to be verified is
very large and cannot be processed at once. It is a positive number of log
entries that can be held in memory during verification. The minimum number if
10 and the maximum number is 4294967295. If this argument is not supplied the
default of 1000 is used.
--iterative or -i
Iterative mode. This is useful in case the log files are
periodically copied from the system on which they where generated to central
collector. As log rotation, i.e. overwriting log files in order to preserve
space cannot be done in a secure logging environment, the iterative mode can
be used instead. This works as follows: If a certain storage limit is reached
the log file together with the host key and the MAC file is copied to new
destination and the old file is deleted. The verification is then performed in
iterations, i.e. separately for each file that was retrieved from the log
host. For this to work, it is important to always retrieve the corresponding
host key and MAC files. The process can be automated, e.g. by calling
slogverify in iterative mode from a script.
--key-file or -k
The initial host key (k0). This option is used in normal
mode only.
--mac-file or -m
The current MAC file used.
--prev-key-file or -p
The host key corresponding to the previous log file. This
option can be used in iterative mode only. In theory, this can be initial host
key (k0) but using this key might generate warnings, as the gap between the
first log entry ever (log entry 0) and the first log entry of the current log
file might be large.
--prev-mac-file or -r
The MAC file from the previous log file. This option can
only be used in iterative mode.
--help or -h
Display a help message.
/usr/bin/slogverify
/etc/syslog-ng.conf
syslog-ng.conf(5)
secure-logging(7)
Note
For the detailed documentation of see The syslog-ng
Administrator Guide[1]
If you experience any problems or need help with syslog-ng, visit
the syslog-ng mailing list[2].
For news and notifications about of syslog-ng, visit the
syslog-ng blogs[3].
For specific information requests related to secure logging send a
mail to the Airbus Secure Logging Team
<secure-logging@airbus.com>.
This manual page was written by the Airbus Secure Logging Team
<secure-logging@airbus.com>.
- 1.
- The syslog-ng Administrator Guide
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/index.html
- 2.
- syslog-ng mailing list
https://lists.balabit.hu/mailman/listinfo/syslog-ng
- 3.
- syslog-ng blogs
https://syslog-ng.org/blogs/