Graylog and security principals

schneich · July 21, 2022, 7:05am

Dear community,

we started to implement Graylog a while ago and and included a few sources: firewall, domain controler, NetScaler, …
Recently, we had a little discussion about syslog-messages, winlogbeat and an hacker, who tries to flood graylog to hide his traces.

As far as I understand, Graylog accepts syslog messages from any source, as long as it is send to the right port. A potential hacker could try to flood our graylog by sending arbitrary syslog messages. As the syslog messages are written into an index and the index will be “rolled over” after x messages and y indices, the traces of the hacker could be lost.

What are the counter measures? Is there a best practice guide?

Is there a way to limit the sources, which are allowed to send syslog messages to graylog?
Is it recomended to create an index per source system? So each source system needs a stream and index?
Do you keep all messages in the default index or do you delete the messages from the default index, as soon as they are written into a separate index?

Any feedback is highly welcome.

Take care,
Chris

patrickmann · July 21, 2022, 8:33am

You can secure your inputs by running them over TCP with TLS.

schneich · July 21, 2022, 12:07pm

Dear @patrickmann

thank you for your input. The only thing, that I found in the referenced documentation is this: Secured Graylog and Beats input - Securing Graylog.
If I understand this correctly, I could implement certificates to secure the authentication and communication between sender and Graylog.
Well, as our Graylog server is not exposed to the internet, I do not need to over-protect the system. certificates are always a pain to implement and to manage. I would prefer to have an IP-based whitelist of possible sources, which could provide data to graylog.

gsmith · July 21, 2022, 10:12pm

So if Graylog is not exposed to the Internet. Then relying on other security configuration such as:

Selinux, Firewalls/IP Tables, etc…

Example:

iptables -A INPUT -s FROMIP.1 -p tcp --dport 5044 -j ACCEPT

OR

iptables -P FORWARD DROP # we aren't a router
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.1 -j ACCEPT
iptables -P INPUT DROP # Drop everything we don't accept

OR if you need a range of IP addresses something like this.

iptables -A INPUT -p tcp --destination-port 5044 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

If you Stack Security configuration, I think this would be your best bet for an Internal Graylog Servers.

Of course it depend on how secure you want Graylog node to be.

This is the only white list I see.

system · August 4, 2022, 10:12pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sending Logs over internet securely to Remote Graylog server Graylog Central (peer support)	2	1606	October 23, 2020
Accept only authorised logs Graylog Central (peer support)	5	290	September 19, 2023
Protection from compromised senders Graylog Central (peer support) documentation	5	672	December 2, 2021
Recording Authenticated Source (Client Certificate) for Forensics Graylog Central (peer support)	5	941	June 7, 2017
RSyslog over TLS Graylog Central (peer support)	6	11904	March 13, 2018

Graylog and security principals

Related topics