Demeter/Cryptolog

## Cryptolog
Via Electronic Freedom Frontier website, under Creative Commons License .../by/3.0/us/
	"Cryptolog is a simple log filter program that reads log file entries from standard input
	and writes to either a file or pipes them to the standard input of another program
	(like logrotate or cronolog). The filter takes the IP address in the entry
	(everything before the first space character) and encrypts it, throwing away the key.

	Technically, cryptolog takes 16 bytes of random data from /dev/urandom and
	stores it in a file (called the salt). It then calculates a sha256 hash of the
	salt concatonated with the original IP address, base64-encodes that, and chops
	off the first six characters of the result. That's what gets stored instead of
	the IP address in the resulting log entry.

	Of course this means that if someone who wishes to know the original IP addresses
	gets access to these logs, all they need to know is the salt (which is also
	stored on the hard drive) to uncover the original IPs. In order to prevent this,
	the salt gets updated once a day with a new random 16 bytes. At worst, an attacker
	can only get the last day's worth of original IP addresses.

	Cryptolog makes logs that look like this:
	127.0.0.1 - - [12/May/2011:15:10:20 -0700] "GET / HTTP/1.1" 200 9634 "-" "curl/7.21.3 (x86_64-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18"

	Look like this instead:
	UkezVh - - [12/May/2011:15:10:20 -0700] "GET / HTTP/1.1" 200 9634 "-" "curl/7.21.3 (x86_64-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18"

The string that replaces the IP address will remain the same for the same day, so you can tell
the difference between unique visitors and pageviews.
	"Here are some example CustomLog lines for your Apache config files:

	CustomLog "| /usr/bin/cryptolog -w /root/cryptolog-access.log" combined
	CustomLog "| /usr/bin/cryptolog -c /usr/bin/cronolog\ /root/cryptolog-access-%Y-%m-%d.log" combined
	CustomLog "| /usr/bin/cryptolog -s /tmp/salt_file -w /root/cryptolog-access.log" combined "

## Details from EFF
Cryptolog is a simple Apache log filter to encrypt IP addresses.
Source is EFF Git Service. Last change was Tue, 19 Jul 2011 23:19:36
	"For visitors to our website, we generally log requests to our website through
	a program called cryptolog. Cryptolog takes the IP address portion of the request
	getting logged and encrypts it, as well as a chunk of random data (the salt),
	using a cryptographic hash function. The salt changes every night, which should
	result in making it very difficult for us, or anyone else, to recover IP addresses
	from our logs. We also generally do not log other standard technical information,
	including the browser software you use, your operating system or the Internet
	address of the website from which you followed a link to our site."
	- via https://www.eff.org/policy
Also,
	Details about cryptolog coming soon. For now, you can find the source code at
	https://git.eff.org/?p=cryptolog.git;a=summary
	- via https://www.eff.org/code/cryptolog

Part One is here
https://git.eff.org/?=cryptolog.git;a=blob_plain;f=README;hb=c046709553fbd3fce7a6c99da8b37f0bf054364a
	Via Electronic Freedom Frontier website, under Creative Commons License .../by/3.0/us/
	"Cryptolog is a simple log filter program that reads log file entries from standard input
	and writes to either a file or pipes them to the standard input of another program
	(like logrotate or cronolog). The filter takes the IP address in the entry
	(everything before the first space character) and encrypts it, throwing away the key.

	Technically, cryptolog takes 16 bytes of random data from /dev/urandom and
	stores it in a file (called the salt). It then calculates a sha256 hash of the
	salt concatonated with the original IP address, base64-encodes that, and chops
	off the first six characters of the result. That's what gets stored instead of
	the IP address in the resulting log entry.

	Of course this means that if someone who wishes to know the original IP addresses
	gets access to these logs, all they need to know is the salt (which is also
	stored on the hard drive) to uncover the original IPs. In order to prevent this,
	the salt gets updated once a day with a new random 16 bytes. At worst, an attacker
	can only get the last day's worth of original IP addresses.

	Cryptolog makes logs that look like this:
	127.0.0.1 - - [12/May/2011:15:10:20 -0700] "GET / HTTP/1.1" 200 9634 "-" "curl/7.21.3 (x86_64-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18"

	Look like this instead:
	UkezVh - - [12/May/2011:15:10:20 -0700] "GET / HTTP/1.1" 200 9634 "-" "curl/7.21.3 (x86_64-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18"

	The string that replaces the IP address will remain the same for the same day, so you can tell
	the difference between unique visitors and pageviews.
	"Here are some example CustomLog lines for your Apache config files:

	CustomLog "\| /usr/bin/cryptolog -w /root/cryptolog-access.log" combined
	CustomLog "\| /usr/bin/cryptolog -c /usr/bin/cronolog\ /root/cryptolog-access-%Y-%m-%d.log" combined
	CustomLog "\| /usr/bin/cryptolog -s /tmp/salt_file -w /root/cryptolog-access.log" combined "
	Cryptolog is a simple Apache log filter to encrypt IP addresses.
	Source is EFF Git Service. Last change was Tue, 19 Jul 2011 23:19:36
	"For visitors to our website, we generally log requests to our website through
	a program called cryptolog. Cryptolog takes the IP address portion of the request
	getting logged and encrypts it, as well as a chunk of random data (the salt),
	using a cryptographic hash function. The salt changes every night, which should
	result in making it very difficult for us, or anyone else, to recover IP addresses
	from our logs. We also generally do not log other standard technical information,
	including the browser software you use, your operating system or the Internet
	address of the website from which you followed a link to our site."
	- via https://www.eff.org/policy
	Also,
	Details about cryptolog coming soon. For now, you can find the source code at
	https://git.eff.org/?p=cryptolog.git;a=summary
	- via https://www.eff.org/code/cryptolog

	Part One is here
	https://git.eff.org/?=cryptolog.git;a=blob_plain;f=README;hb=c046709553fbd3fce7a6c99da8b37f0bf054364a