Graylog for Integrity Log Hashing

Hi all,

Curious, GL has the capability to hash through pipelines that eventually get indexed. Correct? Is there a way to check whether that capability has been implemented? What is a pipeline in this context, and how is it being hashed? Where can we see the hashes to check whether an indexed set of logs have matching hashes? If configured/possible, does it alert if an alteration to the logs have been made?

Thank you
Jenn

Hi @cattpla,

there is nothing ready to use. You have to do it all by hand. But here is what I did just now:

  1. Created a Pipeline rule like this:
rule "create sha512 of message"
when
  has_field("message")
then
  let hash = sha512(to_string($message.message));
  set_field("hash_sha512", hash);
end

And add the rule to a pipeline connected to a stream.
Now the messages will get a new field containing the hash.

  1. I created a second pipeline rule where I do a check against the saved field:
rule "validate sha512 of message"
when
  has_field("message")
then
  let hash = sha512(to_string($message.message));
  let saved_hash = to_string($message.hash_sha512);
  let valid = hash == saved_hash;
  set_field("valid_message", to_bool(valid));
end

This pipeline I use for a decorator, which means the second field valid_message will not be stored
permanently but only displayed in a message table.

Now I can see in the message table if the message has still the same checksum.

But to be honest, this is not really adding security. If an attacker can manipulate the message in your elasticsearch, then he can change the stored checksum as well.

- Konrad

5 Likes

Wow! Thank you for the incredible response and opinion. This will certainly help with the decision making process.

Jenn