Monday, April 07, 2008

First incarnation of LogStore

I've disappeared from this blog in the recent month but I've not been idle: I've implemented initial support for LogStore in the Premium Edition of syslog-ng.

LogStore is a binary log file format, in semantics very similar to a plain log file. But the format allows much more:
  • on-line compression via gzip,
  • encryption via AES and X.509 certificates,
  • integrity protection via hmac-sha1.
And furthermore: it is indexed based on time, and it is quite efficient to look for a specific time range in GBs of log data. I'm quite satisfied, although there are some more work left to be done, for instance the query interface for the time based indexing is not completed.

In use it is quite simple: replace the "file" destination with "logstore" and you are done. More or less the same amount of options are supported: macro based file names, template based formatting, etc.

I'm still pondering with the idea of storing the complete internal representation of the logrecord in serialized form, so it'd be possible to perform template() based formatting in off-line mode.

This code will be released as an experimental part of syslog-ng PE 2.1 and will be finalized in syslog-ng PE 2.2.

4 comments:

Gergely Nagy said...

Hi, i am researching a way to have logs encrypted in an asymmetric way, so on the machine where the logs will be stored it is write only with (the attacker shouldn't even see whats in the logs) and there will be a machine with the decryption key where eventually logs can be examined. Are you interested in this?

Bazsi said...

It is exactly as LogStore behaves, it generates a random key and encrypts it via the public key of a X.509 certificate. The random key is only present in the memory area of the syslog-ng process, anything that hits the disk can only be decrypted by the private key that corresponds to the certificate used for encryption.

Apart from that please drop me an email with details and I'll see what I can do.

gnanet said...

ok where should i address my mail to, one of balabit's main addresses?

By the way i do this research for cacert.org, they are interested in this solution.

gnanet said...

ok i found your address... i'll sum up what's all about.