I’m working for a small full service msp and we are thinking it would be nice to set up a graylog server to pull logs from our managed networks. This does come with some challenges though. I’ve been able to figure out most of them, but am curious what others do for encrypting log data going across the net?
I have the graylog server running v4.2.9 and have inputs working for devices on it’s local network. I’m planning to use sidecar for log collector management.
The plan we’re bouncing around is to have a log collector machine running on each managed network and set the various devices to send the data to the collector. This in turn would forward the data to a graylog input using a tcp connection. I was planning to use certificates to secure the connection, but am not sure how these certs work.
Do i need a Ca to generate these certs? and if so, how do others do that? We don’t have a CA for anything else. The graylog UI is using letsencrypt for it’s https connection.
Could i somehow use the letsencrypt certs for the input as well? or do i need other certs?
Do i need a cert on both ends of the tcp connection? or can i just have one on the server side and not on the client?
Or should i dump certs entirely and look at some sort of vpn method to handle encryption instead?
We use a MS AD , VPN’s /w Certificates, Gateway servers /w authentication software like DUO and ACL’s on switch’s.
Best advice I can give you is to use multiple security techniques . To be honest most, if not all can be hacked.
By stacking security measures this makes it harder to get access to sensitive data, and monitoring the network, you may catch an intrusions before harm can be done.
90% of the time if a issue arises it because someone clicked a link in email or Web UI that they should not have done, So education would be the next priority, or simple create firewall rule to prevent that.
Thanks for all the help. I’ve been distracted by other things the last 2 weeks including trying to figure out just what we want to use as our certificate store, but i’m finally moving on to actually configuring graylog again.
I’ll let you know if i need more help.