Not Alterable Logs

How does Graylog garantee that logs are NOT ALTERABLE after ingestion?

It’s easy. GL not garantee this.
The logs are stored in elasticsearch. It has also no garantee. But you can monitor the update and deletes, so you can have information if something does it.
Also you can configure firewall, and password on elastic, to avoid this.