Tamper-Evident Log Retention
Blackfort Log Vault
Logs are stored immutably, cryptographically protected – and managed independently of your existing IT administration. For compliance evidence, forensic analysis and regulatory requirements.
The structural problem with conventional logging
Logs are the single most important tool for reconstructing security incidents. In most environments, however, they end up in systems to which the very administrators whose activities are being logged also have access. An attacker with administrator rights – or an insider – can modify, delete or selectively suppress logs.
This is not a fringe problem: in forensic investigations following serious security incidents the relevant logs are missing in roughly one third of cases – modified, deleted or simply never stored immutably in the first place.
The Blackfort Log Vault resolves this structural problem through a clean separation: the vault instance runs with its own administration rights, separated from production IT administration. No system administrator has write access to stored logs.
Importantly, the Log Vault is not an end point but a foundation. Tamper-evident logs are the prerequisite for reliable SIEM correlation, sound forensic analysis and audit-grade compliance evidence. Anything not archived with integrity cannot stand up either as a basis for detection or in front of auditors.
What the Log Vault delivers
Cryptographic immutability
Every stored log entry is cryptographically signed. Any subsequent change is detectable – irrespective of who makes it.
Independent administration
The Log Vault runs as a standalone instance with separate administration rights. System administrators have no write access to the vault instance.
Broad source support
Syslog (RFC 5424), Windows Event Logs, Azure Monitor, AWS CloudTrail, GCP Cloud Logging and application logs via REST API are collected centrally.
Compliance reports on demand
Pre-built audit reports for NIS2, ISO 27001, DORA and BSI IT-Grundschutz. Audit-grade evidence without manual collation.
Regulatory requirements
Tamper-evident log retention is explicitly required across all relevant compliance frameworks. In practice it turns out that auditors – whether under ISO 27001, in DORA reviews by BaFin-appointed auditors, or during NIS2 reviews – ask not only whether logs exist but whether their integrity is demonstrable. The Log Vault addresses precisely those requirements:
| Standard | Reference | Requirement |
|---|---|---|
| NIS2 | Art. 21(2) | Recording and documentation of security-relevant events, retention of at least 12 months |
| ISO 27001 | Annex A.8.15 | Logging: protection of log information against tampering and unauthorised access |
| DORA | Art. 12 | ICT logging for financial entities: completeness, integrity and confidentiality of logs |
| BSI IT-Grundschutz | OPS.1.1.5 | Logging: audit-grade retention and protection against tampering |
Use cases
Forensics after a security incident
An attacker has modified system logs to cover their tracks. In the Log Vault all events remain unchanged – cryptographically protected and immune to administrator interference. Forensic analysis remains possible.
ISO 27001 / DORA audit
The auditor – whether an auditor performing a DORA review or an ISO 27001 certification body – requests audit-grade evidence for all privileged accesses of the past 12 months. The Log Vault delivers this report in a structured, complete and demonstrably unaltered form – in minutes rather than days.
NIS2: separation of administration and logging
NIS2 requires that administrators cannot quietly obscure their own activities. The Log Vault solves this structural requirement through a consistent separation of system administration and audit function.
Full product page
Blackfort Independent Log Vault
Technical details, deployment options and the full specification.
Log Vault at a glance
Use cases
- Compliance evidence for audits
- Forensics after security incidents
- Protection against insider threats
- NIS2 & DORA logging obligations
- Separation of administration and audit
Complementary products
Frequently asked questions about the Log Vault
What is the difference between a Log Vault and a SIEM?
A SIEM analyses logs in real time and generates alerts. A Log Vault archives logs in a tamper-evident way for compliance and forensic readiness. The two are not mutually exclusive – the Blackfort Log Vault complements your SIEM with an independent, audit-ready archive layer.
Which log sources are supported?
Syslog (RFC 5424), Windows Event Log via WEF, Azure Monitor, AWS CloudTrail, GCP Cloud Logging and application logs via REST API.
Can the Log Vault run on-premises?
Yes. The Log Vault is designed for on-premises operation and also supports private cloud deployments. No external data transfer takes place.
How long are logs retained?
The retention period is configurable. NIS2 mandates at least 12 months; for certain sectors and scenarios up to 10 years apply.
Does the Log Vault replace the existing logging system?
No. The Log Vault is an independent archive instance operated in parallel with existing systems. It does not replace a SIEM, a monitoring system or an existing log shipper – it secures their output in a tamper-evident way.
Kontakt aufnehmen
Bereit für den nächsten Schritt?
Sprechen Sie mit uns über Ihre Sicherheitsanforderungen – konkret, ohne Verpflichtung und auf Augenhöhe.