The MOVEit Transfer audit log is a tamper-evident. No changes, deletions or additions can be made to the log without breaking the strict chain of cryptographic hashes locked to the specific content and order of log entries.
Starting hashes for MOVEit Transfer tamper-evident chains are retained in encrypted form in the registry. To further prevent against tampering, the hashes used are keyed hashes that require the input of the correct key to be matched and read.
To allow different organizations to maintain different archive periods on their own audit trails MOVEit Transfer maintains a single tamper-evident chain for each organization. When entries are archived, the starting hash of each organization is advanced to just before the oldest remaining record.
If the MOVEit Transfer TamperCheck scheduled task detects tampering, an email with related logs will be sent to the Send Errors To email address(es).
If tampering is encountered and detected, the starting hash of each organization is automatically advanced to the last known good position after notifications are sent. To perform this action at any time, use the MOVEit Transfer Reset function.
Admins have access to a View/Reset link that takes them to a page that will allow them to advance their organization's starting hash to the present time.
SysAdmins have the power to reset the start hashes of all organizations. They also have the power to turn tamper-evident logs on and off (they are on by default). More information about this can be found in Web Interface - Settings - System - TamperDetection.
Every night a scheduled tamper check process will go through all log entries and ensure that the chain of cryptographic hashes remains intact. If any problems are encountered, any administrator listed in the MOVEit Transfer Config utility's Send Errors To field will automatically be notified via email.
This check may also be initiated manually by administrators with access to the MOVEit Transfer console. (Start | Programs | MOVEit Transfer | MOVEit Transfer Log Tamper Check) Any TamperCheck that ends with the phrase Completed with errors should be considered a failed TamperCheck; the exact reason for the failure will be explained in the log. A web-based tamper-check is not available because checking the entire log of evidence for tampering often takes more time than the average web browser (or web browser user) is willing to wait.