Information: Forum is in read-only mode
For details and other support options see

guardtime rsyslog /var/log/messages verification error

This is the place for developers to discuss bugs, new features and everything else about code changes.

Moderator: alorbach

Google Ads

guardtime rsyslog /var/log/messages verification error

Postby mkrutz » Thu Mar 20, 2014 12:56 pm

This is my setup in /etc/rsyslog.conf for the system log:
Code: Select all
*.info action(type="omfile" file="/var/log/messages" sig.provider="gt"
        sig.timestampService="" # This is the address of my internal GT Gateway
        sig.block.sizeLimit="1000"   # increase in production

/var/log/messages is recording system events as per usual. I execute a
Code: Select all
killall -HUP rsyslogd
to force the processing of everything in the buffer. Next I am doing:
Code: Select all
rsgtutil -t /var/log/messages
. This is the output from the attempted signature verification:

Code: Select all
/var/log/messages.gtsig[2:1:2]: error[13]: tree hash mismatch
   Block Start Record.: 'Mar 20 07:41:26 localhost rsyslogd: [origin software="rsyslogd" swVersion="7.6.0" x-pid="3489" x-info=""] start'
   Record in Question.: 'Mar 20 07:41:26 localhost rsyslogd: [origin software="rsyslogd" swVersion="7.6.0" x-pid="3489" x-info=""] start'
   Computed Hash......: 12ff1b[...]78c46e
   Signature File Hash: 5cbdcc[...]c09593
   Tree Level.........: 0
   Tree Left Hash.....: d3bbd3[...]28a501
   Tree Right Hash....: 5c33d9[...]dbeff2
error 13 (tree hash mismatch) 4 processing file /var/log/messages

It should be noted that the "Record in Question" would be the first two lines of the file (according to the output above). I am simply trying to verify the signature of the "running system log". Am I doing something incorrect with sending the HUP? This particular piece is critical to the use of KSI in system logging. Any suggestions?
Posts: 3
Joined: Wed Mar 19, 2014 7:20 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: guardtime rsyslog /var/log/messages verification error

Postby friedl » Thu Mar 20, 2014 4:52 pm


to verify logs correctly, the file with ending ".gtstate" must be present. This file will be generated when rsyslog is stopped or HUPed. A quick test showed me, that it works with both.

I guess that rsyslog does not get enough time to finish the signature request that will be sent to GuardTime. Or probably the machine is not having internet access at all.

Here is some more information on this topic:
Adiscon Support
Posts: 67
Joined: Wed Sep 13, 2006 2:31 pm

Google Ads

Return to Developer's Corner

Who is online

Users browsing this forum: No registered users and 0 guests