Graylog and security principals

Dear community,

we started to implement Graylog a while ago and and included a few sources: firewall, domain controler, NetScaler, …
Recently, we had a little discussion about syslog-messages, winlogbeat and an hacker, who tries to flood graylog to hide his traces.

As far as I understand, Graylog accepts syslog messages from any source, as long as it is send to the right port. A potential hacker could try to flood our graylog by sending arbitrary syslog messages. As the syslog messages are written into an index and the index will be “rolled over” after x messages and y indices, the traces of the hacker could be lost.

What are the counter measures? Is there a best practice guide?

  • Is there a way to limit the sources, which are allowed to send syslog messages to graylog?
  • Is it recomended to create an index per source system? So each source system needs a stream and index?
  • Do you keep all messages in the default index or do you delete the messages from the default index, as soon as they are written into a separate index?

Any feedback is highly welcome.

Take care,

You can secure your inputs by running them over TCP with TLS.


Dear @patrickmann

thank you for your input. The only thing, that I found in the referenced documentation is this: Secured Graylog and Beats input - Securing Graylog.
If I understand this correctly, I could implement certificates to secure the authentication and communication between sender and Graylog.
Well, as our Graylog server is not exposed to the internet, I do not need to over-protect the system. :slight_smile: certificates are always a pain to implement and to manage. I would prefer to have an IP-based whitelist of possible sources, which could provide data to graylog.

So if Graylog is not exposed to the Internet. Then relying on other security configuration such as:

Selinux, Firewalls/IP Tables, etc…


iptables -A INPUT -s FROMIP.1 -p tcp --dport 5044 -j ACCEPT


iptables -P FORWARD DROP # we aren't a router
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -P INPUT DROP # Drop everything we don't accept

OR if you need a range of IP addresses something like this.

iptables -A INPUT -p tcp --destination-port 5044 -m iprange --src-range -j ACCEPT  

If you Stack Security configuration, I think this would be your best bet for an Internal Graylog Servers.

Of course it depend on how secure you want Graylog node to be.

This is the only white list I see.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.