Electronic evidence for court by Graylog

Hi guys

Is the data indexed by Graylog admissible as evidence in court ? if yes How ?

ohhh… It is a hard topic…
So only my opinion:
First of all, I don’t known your local legal, so that could be the start point.
In general about logging, not just Graylog:
To be an evidence you should evince the logs contains every information and you didn’t modify it.
And if you start it from the beginning, can you evince a “blackbox” software sends logs about what you set? Eg. Microsoft exchanges logs all things? You don’t know the source code, so you can’t be sure it logs all things about a special user’s things.
After that, there is the network part. The UDP doesn’t provide 100% package transmission. Or you can use a “proxy” to modify/drop packages. (And also the graylog drop UDP messages at the java’s GC process.)
At the processing can you evince you don’t modify/drop any messages by rules or any problems?
Also you can make changes or delete in the database. Or at the export…
So I can’t imagine a word where you could do everything to avoid this things…

BUT, I have seen many times, when the police or the court used simple (eg. syslog-ng/rsyslog collected, without any hardening, or special things on the logs (timestamps)) logs. Or a proxy’s processed logs (squid with sarg)…

1 Like

Hi macko003

Thank you for your valuable answer

Does the Graylog not have a feature or Method for this purpose?

I don’t know about it. But the graylog is only a little point in the big picture… :frowning: So if it has, you can’t do so much with it…
You can only try to avoid the log modify/delete.
Eg. Use password for elasticsearch, and monitor the delete/modify counts of the database.
Use TLS for the log transport, and do config backups.
Export(elasticsearch snapshot) the logs, and make a timestamp on the data.
In this case if you need it, you can show your config, the TLS can provide point-to-point communication.
With the graylog’s mongodb config you can evince you don’t set rules to drop, etc…
With monitoring log’s, you didn’t delete logs from database.
With timestamp the integrity of the exported database
etc…

BUT with syslog-ng I saw another solution, it keeps the logs in file, rotate in every 15 minutes, and after the rotation did a timestamp about that. There is also possible to modify the logs in this 15 minutes, and modify it in transit… So based on my previous post, You can’t be sure, there are no point in your system where you can do some bad things with the logs…

hi
thanks a lot
According to your tips useful , I got the complete answer.
I was looking for a " log sign" feature into Graylog :blush:

It isn’t a good solution. To be sure, you need to sign every messages, but it is a very huge traffic, so it is better to do it in batches. But the Graylog process every messages one-by-one, without any connection between the messages.

hi
OK, thanks a lot macko

well , how can I do it in batches ?? :upside_down_face:

With graylog, I have no idea.
Maybe do elasticseach snapshots.
But I told it in general.

1 Like