Three gaps in your current log strategy

Most organizations archive logs — but leave critical compliance and cost problems unaddressed.

Compression ratio: 10:1 vs 15:1–20:1

gzip reaches 10:1 on structured log text. ZSTD with a trained dictionary reaches 15:1 to 20:1 on the same files — same compliance, dramatically less storage cost over six-year retention periods.

S3 write access does not equal tamper-proof

An attacker with S3 write access can delete individual log entries and recalculate the file checksum. A Merkle-Tree over every log entry makes individual-entry manipulation detectable — even after the fact.

A SHA-256 in a README is not an audit trail

Your auditor requires a cryptographic Merkle proof with an RFC 3161 timestamp — not a hash stored in a README file. Without this, your archive cannot prove that a specific log line was present on a specific date.

What fltlog does

A purpose-built compliance log archiver — not a general-purpose backup tool.

ZSTD + Dictionary Training

Train a shared dictionary on representative log samples. Compression ratios of 15:1 to 20:1 for structured log formats including JSON, syslog, and nginx access logs.

Merkle-Tree over All Log Entries

Every log entry is hashed individually. The tree root covers the complete archive. Deletion or modification of any single entry invalidates the root hash and is immediately detectable.

Root-Hash Anchoring

Publish the Merkle root to S3 Object Lock (WORM), embed it in a printable QR-Code, or write it to an external notary. Root anchoring is independent of the archive storage location.

RFC 3161 Timestamp Authority

Request a cryptographic timestamp from a public or enterprise TSA at archive creation time. The timestamp binds archive content to a verifiable point in time accepted in legal proceedings.

logrotate / systemd Integration

Drop-in postrotate hook for logrotate. Ready-made systemd Timer unit for scheduled archiving. No daemon required — fltlog runs as a one-shot process with zero persistent footprint.

Multi-Format Input

Reads plain text, gzip, bzip2, zstd, lz4, and xz compressed logs. Accepts rotated log files from nginx, Apache, syslog, journald, and application-specific formats.

Free fltlog-verify Binary

Distribute the standalone verify binary to auditors at no cost. Verifiers can confirm Merkle-Tree integrity and RFC 3161 timestamp without a fltlog license or internet access.

Forensic PDF Report

Generate a signed, dated PDF containing the archive manifest, entry count, date range, Merkle root, and TSA certificate chain. Ready to hand to an auditor or attach to a compliance filing.

Exact regulatory requirements

fltlog is designed around the specific text of each regulation — not a generic “compliance-friendly” claim.

PCI DSS 4.0.1 — Requirement 10.5.1

Retain audit logs for at least 12 months with a minimum of 3 months immediately available. Tamper detection is mandatory. fltlog satisfies all three requirements: retention period, fast-access tiering, and Merkle-Tree manipulation detection.

HIPAA — 45 CFR §164.312

Activity logs for electronic protected health information must be retained for 6 years from the date of creation or last use. fltlog archives to S3 Glacier with WORM tagging and produces a verifiable integrity trail for the full retention window.

SOX — Section 802

Records relevant to audit must be retained for 7 years. WORM storage is explicitly recommended to prevent alteration. fltlog supports S3 Object Lock, Azure Immutable Blob, and on-premises WORM targets with RFC 3161 timestamp receipts.

Pricing

Simple per-server monthly pricing. No per-GB ingestion fees. No agent seats.

Linux / Windows

€49

per month · up to 50 GB/day

ZSTD dictionary compression
Merkle-Tree + RFC 3161 TSA
logrotate / systemd integration
Forensic PDF report
Free verify binary for auditors
Email support

Annual subscription: 15% discount

z/OS LPAR

€369

per month · per LPAR

Full feature set
SMF log support
RACF audit log archiving
JES spool archiving
WORM DASD target support
Priority support

Annual subscription: 15% discount

Enterprise

Custom volume · SLA · on-premises

Unlimited daily volume
Custom retention policies
On-premises TSA integration
Enterprise WORM storage
Dedicated support SLA
Professional services

Frequently asked questions

Common questions from security engineers and compliance officers.

What is the difference between fltlog and Splunk or Cribl?

Splunk and Cribl are log management and routing platforms optimized for search and real-time analytics. fltlog is a compliance archiver: it does not index or search logs. It compresses, seals with a Merkle-Tree, timestamps with RFC 3161, and writes to long-term storage. This means dramatically lower cost per GB retained and a verifiable chain of custody that Splunk and Cribl do not produce.

Does fltlog replace my SIEM?

No. fltlog archives logs after they leave your SIEM or log pipeline. Your SIEM continues to ingest and analyze live log streams. fltlog handles the compliance retention requirement: compress, seal, timestamp, and store for 6–7 years with verifiable integrity. The two tools serve different phases of the log lifecycle.

How does ZSTD dictionary training work?

ZSTD dictionary training analyzes a representative sample of your logs (typically 100–500 files) and extracts common byte sequences into a shared dictionary. When compressing future logs against this dictionary, the compressor can reference the dictionary instead of encoding repeated patterns — yielding ratios of 15:1 to 20:1 on structured formats where standard ZSTD would achieve 8:1 to 12:1. The dictionary must be stored alongside archives and is required for decompression.

What is a Merkle tree and how does it prove log integrity?

A Merkle tree is a binary hash tree where each leaf node contains the hash of one log entry, and each parent node contains the hash of its two children. The root hash of the tree covers every log entry in the archive. If any single entry is added, deleted, or modified, the hashes up the tree change — including the root. By anchoring the root hash to an RFC 3161 timestamp and optionally to S3 Object Lock, fltlog creates a tamper-evident record that can be independently verified years later.

Can an external auditor verify logs without a license?

Yes. The fltlog-verify binary is distributed free of charge and without a license requirement. Auditors can run it on their own systems to verify the Merkle-Tree root hash, confirm the RFC 3161 timestamp, and validate that a specific log entry is present and unmodified. The verify binary has no external dependencies and does not connect to limes datentechnik servers.

Does fltlog integrate with logrotate and systemd?

Yes. fltlog ships a postrotate hook for logrotate that archives the rotated file immediately after rotation. It also ships a systemd service and timer unit for scheduled archiving independent of logrotate. Both integration paths run fltlog as a one-shot process — there is no persistent daemon or agent process.

How does fltlog compare to AWS S3 Object Lock?

S3 Object Lock provides WORM storage — it prevents deletion or overwriting of objects for a defined retention period. It does not provide compression, Merkle-Tree integrity proof, or RFC 3161 timestamps. fltlog complements S3 Object Lock: it compresses logs with ZSTD, seals them with a Merkle-Tree, timestamps with RFC 3161, and then writes the sealed archive to S3 with Object Lock enabled. The result is both tamper-evident and WORM-protected.

Volume / day	Duration	gzip + S3 Standard	ZSTD 15:1 + S3 Glacier	Savings
5 GB	6 years	$18,000	~$170	$17,830
15 GB	6 years	$54,000	~$500	$53,500
50 GB	6 years	$180,000	~$1,670	$178,330

Feature	gzip + S3	Splunk ~$0.88 / GB	Cribl ~$0.27 / GB (routing, no archive)	AWS CloudWatch	fltlog €49 / Mo
ZSTD Compression	×	Partial	Routing only	×	✓ 15:1–20:1
Merkle-Tree Integrity	×	×	×	×	✓
Compliance Archiving	Manual	✓	×	Partial	✓
Forensic PDF Report	×	Add-on	×	×	✓ Included
CLI-First / No Agent	✓	×	×	×	✓

Tamper-Proof Log Archiving for PCI DSS & HIPAA Compliance

How much are you spending on log storage?