SIEM Log Integrity: Proving Your Logs Have Not Been Altered

Why SOC and Audit Logs Need Integrity Proof

Security teams live and die by their logs. Authentication events, firewall denials, configuration changes, privileged commands — the record of what happened on a system is often the only witness to an incident. But a log is only as useful as it is trustworthy. The moment someone can ask how do we know these entries were not edited? the value of the whole record is in question. SIEM log integrity is the discipline of being able to answer that question with proof rather than assertion: showing that the log file you are relying on is bit-for-bit the same as the one that was collected. A log that cannot be shown to be tamper-evident is, for evidentiary purposes, barely a log at all. This article explains how to lock that integrity down, and how e-Dex (formerly Hash Calculator) turns an exported log file into a verifiable certificate offline.

The Risk: Logs Are a Tempting Target

An attacker who breaks into an environment has a strong incentive to clean up after themselves. Editing or truncating a log to remove the trace of a malicious login, a lateral movement, or an exfiltration is a classic anti-forensic move. The threat is not only external: a malicious insider with administrative rights can quietly alter records to hide a fraudulent transaction or an unauthorised change. Even accidental corruption — a half-written file, a bad disk, a botched export — can leave you holding a log you can no longer trust. In every one of these cases the damage is the same: when you finally need the log, you cannot prove it is the original. Integrity protection exists precisely so that any such change becomes visible instead of silent.

How to Lock Log Integrity

The core technique is simple and well understood. Once a set of logs is finalised, you compute a cryptographic hash over the file. A hash is a fixed-length fingerprint of the exact bytes; change a single character in a single log line and the hash changes completely, so a matching hash is strong evidence that nothing was touched. The workflow has three layers you can apply as the stakes demand. First, export the logs for the time window you care about and hash the file, recording the value somewhere safe. Second, where you need to bind identity and time, sign the record with a digital certificate and attach an RFC-3161 trusted timestamp, so it is provable not just that the file is unaltered but who sealed it and when. Third, for rolling logs that never stop, adopt periodic hashing: hash each closed segment or daily snapshot as it is finalised, building a running ledger of fingerprints that covers the whole timeline.

Producing a Log Integrity Certificate

Recording a hash in a notebook is fine; producing a clean, self-contained document is far more useful. Load your exported log files into e-Dex and it computes several algorithms per file — MD5, SHA-1, SHA-256, SHA-512 and BLAKE3 — and prints them onto a one-page log integrity certificate. On later verification it recomputes each hash and shows a plain MATCH or MISMATCH verdict per file, plus an overall result across the batch, so a reviewer sees at a glance whether the set is clean. Listing modern collision-resistant algorithms (SHA-256, SHA-512, BLAKE3) alongside the legacy ones makes the proof robust and lets anyone match against whichever value was originally recorded.

Admissibility and Audit Value

A log integrity certificate strengthens the story you tell about your evidence. In an internal audit it lets you hand a dataset to a reviewer and demonstrate it has not drifted since extraction. In a regulatory response it shows a watchdog that the records you produced are intact. In a dispute or investigation it gives the integrity layer that any further evidentiary process — a formal certificate, a chain-of-custody record, expert testimony — builds upon. The certificate does not, by itself, decide what a court or regulator will accept; how evidence is weighed depends on the facts and the applicable rules. What it does is remove an easy line of attack, by converting "trust us, the logs are unchanged" into a value anyone can independently recompute.

What Hashing Does and Doesn't Do for Live Streams

It is worth being precise about the limits. A hash seals a fixed set of bytes; it cannot, on its own, protect a log that is still being written. For a live, continuously growing stream you do not hash "the log" — you hash each segment once it is closed, or a snapshot of a defined window. Genuine tamper protection of an active stream is a job for the source: append-only or write-once storage, forwarding to a separate trust boundary, or hash-chaining each entry as it lands. Hashing then proves integrity from the point of export forward. Understanding this boundary keeps your claims honest: the certificate says "this exported file is unaltered since I sealed it," not "no one could ever have touched the logs before they reached me."

Offline by Design

e-Dex never connects to your security platform and never uploads your data. It works on exported log files on your own Windows machine and runs fully offline, so sensitive logs stay inside your boundary. The only step that touches the internet is the optional RFC-3161 trusted timestamp. When you need someone else to confirm a file, share it with its certificate and they can recompute the hash — or use the free online certificate verifier to check a certificate without installing anything.

Frequently Asked Questions

What is SIEM log integrity?
SIEM log integrity means being able to prove that the audit and security logs you collected are exactly as recorded and have not been altered, deleted from, or added to since collection. It is established by computing a cryptographic hash over an exported log file, so that any later change to even a single byte produces a different hash and is therefore detectable. Logs that cannot be shown to be tamper-evident carry far less weight in an investigation or audit.

Can hashing protect a live, continuously growing log stream?
Not on its own. A hash is a fingerprint of a fixed set of bytes, so it can only seal a log file that is no longer changing. For a live, rolling log you hash each closed segment as it is finalised, or you export a snapshot covering a defined time window and hash that. Continuous tamper protection of an active stream needs append-only storage, write-once media or hash chaining at the source; hashing then proves integrity from the moment of export onward.

How do I produce a log integrity certificate?
Export the relevant logs to a file, then load that file into e-Dex. It computes multiple hash algorithms (such as SHA-256, SHA-512 and BLAKE3), records them, and generates a one-page integrity certificate that lists each file with its hashes and a MATCH or MISMATCH verdict on later verification. You can optionally apply a digital signature and an RFC-3161 trusted timestamp so the certificate also proves who produced it and when.

Does e-Dex need to connect to my SIEM or the internet?
No. e-Dex works on exported log files on your own Windows machine and runs fully offline. It does not integrate with or read from any security platform directly, so your logs never leave your computer. The only step that uses the internet is the optional RFC-3161 trusted timestamp, which contacts an independent Time-Stamping Authority.

How does anyone else confirm the log file is unaltered later?
Share the log file together with its integrity certificate. A reviewer recomputes the file's hash and compares it against the value printed on the certificate; an identical hash means MATCH and the file is unchanged, while any difference means MISMATCH. e-Dex also provides a free online verifier at /verify-certificate.html so a recipient can check a certificate without installing anything.

Conclusion

Logs are evidence, and evidence is only as good as its integrity. By exporting, hashing, and optionally signing and timestamping your audit and SOC logs, you convert a fragile "trust us" into a fact anyone can recompute — turning a tempting target into a tamper-evident record. You can produce a log integrity certificate in minutes, fully offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and start proving your logs are exactly what they should be.