Anti tamper option


quick one: does Graylog have any anti-tamper option?

What exactly do you mean by “anti-tamper”?

Some feature that tells me if a log message hasn’t been tampered or modified by something.

Did you review this?

1 Like

I’ve seen it but it doesn’t seem to be a proper option for that.

I would think encrypting communication and setting access controls would accomplish that. Anything more would require some way to compare the original log to the log entered in Graylog. Though Graylog itself will “tamper” with the logs through parsing, pipelines and what not.

I am not aware of anyway to do that, short of manually reviewing logs in both places for inconsistencies. Maybe someone else would have a more satisfactory answer.

If your asking how to tell if a log that is stored by Graylog in the Elastic DB got edited I suppose you could monitor the Elastic logs for logins and field edits as well as the server hosting the Elastic DB.

I have not done that but I don’t see why you couldn’t.

Thanks for your reply, I’ve found also this topic but I don’t understand how the pipeline rules work.

Let’s see if I’ve understood the process: a message comes into graylog and goes into a Stream where I can apply pipeline rules. One of the rule generates the hash of the message field and the other one verify the hash. That’s mean the message will be valid only if there’s been no edit between the two rules that are applied in sequence. But if the message has been edited before pipelines rules are applied, the hash and the verification are still valid.

AFAIK Graylog set the Elasticsearch index as read-only after rotation

Sounds like you got it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.