we started to implement Graylog a while ago and and included a few sources: firewall, domain controler, NetScaler, …
Recently, we had a little discussion about syslog-messages, winlogbeat and an hacker, who tries to flood graylog to hide his traces.
As far as I understand, Graylog accepts syslog messages from any source, as long as it is send to the right port. A potential hacker could try to flood our graylog by sending arbitrary syslog messages. As the syslog messages are written into an index and the index will be “rolled over” after x messages and y indices, the traces of the hacker could be lost.
What are the counter measures? Is there a best practice guide?
Is there a way to limit the sources, which are allowed to send syslog messages to graylog?
Is it recomended to create an index per source system? So each source system needs a stream and index?
Do you keep all messages in the default index or do you delete the messages from the default index, as soon as they are written into a separate index?
thank you for your input. The only thing, that I found in the referenced documentation is this: Secured Graylog and Beats input - Securing Graylog.
If I understand this correctly, I could implement certificates to secure the authentication and communication between sender and Graylog.
Well, as our Graylog server is not exposed to the internet, I do not need to over-protect the system. certificates are always a pain to implement and to manage. I would prefer to have an IP-based whitelist of possible sources, which could provide data to graylog.
iptables -P FORWARD DROP # we aren't a router
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.1 -j ACCEPT
iptables -P INPUT DROP # Drop everything we don't accept
OR if you need a range of IP addresses something like this.