ISO inspection Data manipulation


I want to ask about Graylog and the stored data that gathers from other computers, servers etc.

Our company will get an ISO Inspection and on the pre evaluation asked us if the Logs Stored in the server running Graylog are immutable.

I know if you have root access etc on the server and access to elasticsearch you can do many short of things.

The question is. From the web gui can the Administrator except from deleting the indexes etc, manipulate the already stored data of the logs?

Thank you.

Hello && Welcome

You would set the roles for other users to prevent accidental deleting of indices.

With manipulating logs is not very common once indexed. You would need to secure you Graylog server. The person who is orchestrating the security policy/s for this environment, hopefully would have a LPIC-3 Security at least.

If you are worried about security within this DMZ. I would highly suggest making GPO’s for your environment to prevent users for doing such thing as sabotage or other accidents happing.
On a side note, with Graylog enterprise version you could sync you users roles (Teams) but you have to keep it under 5GB a day.

Hope that helps

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.