Every entry in the Audit Log is digitally signed when it’s created. This signature helps you to prove that an entry was not modified after creation.
Each signature includes details of earlier log items to create a consistent signature chain. When any item in the log table is modified, deleted, or retrospectively inserted, the signature chain is broken. A signature cannot be re-created without breaking several other signatures.
The signature helps you detect modifications in entries, but it does not prevent actual modifications. Though it uses a very secure, cryptographic meachanism, it is not legally proof!
No detail of the log entry was not modified after creation, and the signature chain is untampered.
The notice “New Chain” means, that the signature of the current item is valid. However, a recent log entry with a broken signature was found, and our plugin started a new signature chain that is unrelated to the previous log items.
A broken signature chain can have several reasons:
- Any detail of the log entry was modified via direct DB access.
- An older log entry was deleted; i.e., the signature chain was interrupted.
- A log item was retrospectively inserted into the table.
- The server’s local IP address changed; i.e., the log item was imported from a different server.
Note: Because of the IP address component, the signature chain will also break when you migrate your website to another server or host. This is the correct and intended behavior because a signature is only valid on the server that created it.
How to repair a broken signature?
When a signature breaks, it’s important to determine what happened. First, back-track to the oldest broken element in the chain and investigate why that element is broken.
Did you move to a different hosting provider? In this case, the broken signature is intentional and cannot be repaired.
The only way to repair broken items in the signature chain is to revert your database to a state when the signature chain was still valid on the server that issues the signature in the first place. We recommend taking frequent backups (e.g., daily or at least weekly).
Broken signatures heal over time: When at least 100 concurrent items with a valid signature are present, the state reverts to valid.