I tested graylog the last 2 weeks and I really like it.
But there is one more question about the log security I cant answer yet.
Is there is a possibility to change the logs manually, like if a hacker gets into the system and tries to manipulate log files to cover his tracks or something.
According to the company’s specifications, logs must be protected from changes or at least it has to be logged.
From within Graylog the Logfiles can’t be changed. If someone has access to the servers where the data is stored (read the elasticsearch server) he would be able to delete, or change the data. Mainly because this is not a write only database this is possible with access to the database.
You should create your system in a way that it is hard for the attacker to get into that critical part of your infrastructure.
Multiple Szenarios are possible and multiple ways you can protect the network and the data. It all can change once your definition is known.