Page 1 of 1

guardtime rsyslog /var/log/messages verification error

PostPosted: Thu Mar 20, 2014 12:56 pm
by mkrutz
This is my setup in /etc/rsyslog.conf for the system log:
Code: Select all
*.info action(type="omfile" file="/var/log/messages" sig.provider="gt"
        sig.timestampService="http://192.168.12.35/gt-signingservice" # This is the address of my internal GT Gateway
        sig.block.sizeLimit="1000"   # increase in production
        sig.keepTreeHashes="on"
        sig.keepRecordHashes="off")

/var/log/messages is recording system events as per usual. I execute a
Code: Select all
killall -HUP rsyslogd
to force the processing of everything in the buffer. Next I am doing:
Code: Select all
rsgtutil -t /var/log/messages
. This is the output from the attempted signature verification:

Code: Select all
/var/log/messages.gtsig[2:1:2]: error[13]: tree hash mismatch
   Block Start Record.: 'Mar 20 07:41:26 localhost rsyslogd: [origin software="rsyslogd" swVersion="7.6.0" x-pid="3489" x-info="http://www.rsyslog.com"] start'
   Record in Question.: 'Mar 20 07:41:26 localhost rsyslogd: [origin software="rsyslogd" swVersion="7.6.0" x-pid="3489" x-info="http://www.rsyslog.com"] start'
   Computed Hash......: 12ff1b[...]78c46e
   Signature File Hash: 5cbdcc[...]c09593
   Tree Level.........: 0
   Tree Left Hash.....: d3bbd3[...]28a501
   Tree Right Hash....: 5c33d9[...]dbeff2
error 13 (tree hash mismatch) 4 processing file /var/log/messages

It should be noted that the "Record in Question" would be the first two lines of the file (according to the output above). I am simply trying to verify the signature of the "running system log". Am I doing something incorrect with sending the HUP? This particular piece is critical to the use of KSI in system logging. Any suggestions?

Re: guardtime rsyslog /var/log/messages verification error

PostPosted: Thu Mar 20, 2014 4:52 pm
by friedl
Hi,

to verify logs correctly, the file with ending ".gtstate" must be present. This file will be generated when rsyslog is stopped or HUPed. A quick test showed me, that it works with both.

I guess that rsyslog does not get enough time to finish the signature request that will be sent to GuardTime. Or probably the machine is not having internet access at all.

Here is some more information on this topic:
http://www.rsyslog.com/error-message-when-verifying-signed-logs/