Hello,
quick one: does Graylog have any anti-tamper option?
What exactly do you mean by āanti-tamperā?
Some feature that tells me if a log message hasnāt been tampered or modified by something.
Did you review this?
1 Like
Iāve seen it but it doesnāt seem to be a proper option for that.
I would think encrypting communication and setting access controls would accomplish that. Anything more would require some way to compare the original log to the log entered in Graylog. Though Graylog itself will ātamperā with the logs through parsing, pipelines and what not.
I am not aware of anyway to do that, short of manually reviewing logs in both places for inconsistencies. Maybe someone else would have a more satisfactory answer.
If your asking how to tell if a log that is stored by Graylog in the Elastic DB got edited I suppose you could monitor the Elastic logs for logins and field edits as well as the server hosting the Elastic DB.
I have not done that but I donāt see why you couldnāt.
Thanks for your reply, Iāve found also this topic https://community.graylog.org/t/graylog-for-integrity-log-hashing/15570 but I donāt understand how the pipeline rules work.
Letās see if Iāve understood the process: a message comes into graylog and goes into a Stream where I can apply pipeline rules. One of the rule generates the hash of the message field and the other one verify the hash. Thatās mean the message will be valid only if thereās been no edit between the two rules that are applied in sequence. But if the message has been edited before pipelines rules are applied, the hash and the verification are still valid.
AFAIK Graylog set the Elasticsearch index as read-only after rotation
Sounds like you got it.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.