ISO inspection Data manipulation

Moultrex · December 7, 2021, 10:06am

Hello.

I want to ask about Graylog and the stored data that gathers from other computers, servers etc.

Our company will get an ISO Inspection and on the pre evaluation asked us if the Logs Stored in the server running Graylog are immutable.

I know if you have root access etc on the server and access to elasticsearch you can do many short of things.

The question is. From the web gui can the Administrator except from deleting the indexes etc, manipulate the already stored data of the logs?

Thank you.

gsmith · December 7, 2021, 11:51pm

Hello && Welcome

You would set the roles for other users to prevent accidental deleting of indices.

With manipulating logs is not very common once indexed. You would need to secure you Graylog server. The person who is orchestrating the security policy/s for this environment, hopefully would have a LPIC-3 Security at least.

If you are worried about security within this DMZ. I would highly suggest making GPO’s for your environment to prevent users for doing such thing as sabotage or other accidents happing.
On a side note, with Graylog enterprise version you could sync you users roles (Teams) but you have to keep it under 5GB a day.

Hope that helps

system · December 21, 2021, 11:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Possible archiving of data? Graylog Central (peer support)	4	423	April 10, 2021
Archiving / Log Retention without Graylog Enterprise Graylog Central (peer support)	2	1952	September 27, 2023
Question about changing Maximum Indices Graylog Central (peer support)	2	437	November 27, 2018
Delete some data from graylog Graylog Central (peer support)	6	1396	July 9, 2021
Delete logs Graylog Graylog Central (peer support)	18	29146	July 2, 2018

ISO inspection Data manipulation

Related Topics