Introduction
This article describes the signature methods used by Logsign to ensure the accuracy and integrity of the logs it stores.
Signature Methods
There are three different methods used for logging and signing: Line, File, and Summary signature methods.
Logsign's default signature methods are compatible with the structure required by Article 5651 of the Turkish Constitution, which mandates that logs must be timestamped and stored.
Line-based Signing (Line Sign Method)
When logs are received by the system, the entire line of the unmodified log is signed with hash algorithms.
By default, it is signed with CRC32.
You can see an example of a log from a FortiGate firewall source that has been signed with CRC32 below. The section marked in red and bold shows the portion of the orange-colored log line that has been signed with the hash algorithm CRC32.
The section marked in green and bold shows the portion of the orange-colored log line that has been signed with the hash algorithm MD5.
{"id":"","hash":"90a9202d","sender_info":{"ip":"10.10.0.2","port":0,"collector":"syslog","config_uid":"zfcg46zng2pko1t6zxvjt9v3vag3uvo9","severity":"notice","facility":"local7","linehash":"ad6e3694c0f26918b57833010ff0a196"},"time":1678282524,"data":"date=2023-03-08 time=16:35:24 devname="LogsignUmitFW" devid="FGVMEVSREQQ3WM62" eventtime=1678282524293949407 tz="+0300" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.241.237.24 srcname="iadmin-vmwarevirtualplatform" srcport=39956 srcintf="port2" srcintfrole="lan" dstip=10.10.0.16 dstport=1974 dstintf="port1" dstintfrole="undefined" srccountry="United States" dstcountry="Reserved" sessionid=227356 proto=6 action="timeout" policyid=5 policytype="policy" poluuid="01111dde-b7be-51ed-c558-90a548280c65" policyname="Parrot_OUT" service="tcp/1974" trandisp="snat" transip=10.10.0.2 transport=39956 duration=10 sentbyte=44 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned" srchwvendor="VMware" osname="Ubuntu" mastersrcmac="00:50:56:be:60:b4" srcmac="00:50:56:be:60:b4" srcserver=0"}}
File and Summary Method Signing (File & Summary Sign Method)
Logs are collected in a directory for 24 hours, compressed in either gz or bzip format, and then stored. After compression, the file and file contents are signed separately.
You can verify the hash of the following file using sha256 as an example.
You can also use different services to sign using different hash algorithms.
Supported Providers |
Selft Time Stamp Authority Tubitak E-Imza TR Digi Stamp Logsign Stamp Turk Trust E-Tugra E-Imza CYP Timestamp Mikro Kep |