ISO inspection Data manipulation

Moultrex · December 7, 2021, 10:06am

Hello.

I want to ask about Graylog and the stored data that gathers from other computers, servers etc.

Our company will get an ISO Inspection and on the pre evaluation asked us if the Logs Stored in the server running Graylog are immutable.

I know if you have root access etc on the server and access to elasticsearch you can do many short of things.

The question is. From the web gui can the Administrator except from deleting the indexes etc, manipulate the already stored data of the logs?

Thank you.

gsmith · December 7, 2021, 11:51pm

Hello && Welcome

You would set the roles for other users to prevent accidental deleting of indices.

With manipulating logs is not very common once indexed. You would need to secure you Graylog server. The person who is orchestrating the security policy/s for this environment, hopefully would have a LPIC-3 Security at least.

If you are worried about security within this DMZ. I would highly suggest making GPO’s for your environment to prevent users for doing such thing as sabotage or other accidents happing.
On a side note, with Graylog enterprise version you could sync you users roles (Teams) but you have to keep it under 5GB a day.

Hope that helps

system · December 21, 2021, 11:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Safely remove index Graylog Tech Challenges	3	837	July 13, 2021
Logfile Security Graylog Central (peer support)	2	356	October 3, 2018
Possible archiving of data? Graylog Central (peer support)	4	491	April 10, 2021
Deleting logs from graylog/elasticsearch (a howto) Graylog Central (peer support)	1	20124	September 14, 2017
Archiving / Log Retention without Graylog Enterprise Graylog Central (peer support)	2	2077	September 27, 2023

ISO inspection Data manipulation

Related topics