The syslog-ng 3.0 Administrator Guide

The Premium Edition of syslog-ng can store log messages securely in encrypted, compressed and timestamped binary files. Timestamps can be requested from an external Timestamping Authority (TSA).

Logstore files consist of individual chunks, every chunk can be encrypted, compressed, and timestamped separately. Chunks contain log message data, chunk size defaults to 128k (about 1MB worth of compressed logs). Chunks are closed when their size reaches the limit set in the chunk_size parameter, or when the time limit set in the chunk_time parameter expires and a new message arrives. Specifically, when a new message arrives to the logstore, syslog-ng checks if chunk_time time has elapsed since the last message has arrived. If it has, then the old chunk is closed and the new message is written into a new chunk.

The syslog-ng PE application generates an SHA-1 hash for every chunk to verify the integrity of the chunk. The hashes of the chunks are chained together to prevent injecting chunks into the logstore file. The syslog-ng application can encrypt the logstore using the aes128 algorithm in CBC mode; the hashing (HMAC) algorithm is hmac-sha1. Currently it is not possible to use other algorithms.