Protection from compromised senders

Description of your problem

I going to setup my internet server to send logs to graylog server. I’m looking for some information what potential destruction can this bring to graylog server if my internet server is intercepted by some.

Description of steps you’ve taken to attempt to solve the issue

Documentation and forum search.

Environmental information

Operating system information

  • Ubuntu

Package versions

  • Graylog 3.0
  • MongoDB
  • Elasticsearch
  • Service logs, configuration, and environment variables
  • See the docs site for all file locations

Hi, cirruspl
Do you mean how to find malicious attacks and traffic and Event security IDs?

Thanks for replying.
My question could be simplified to this: Is it safe to open Graylog Input tcp port to the internet?
(I’m not going to do this but it may happen that system sending logs could be source of malicious behaviour)

It’s better that your server be behind of Network Firewall
If server is independent and publish on internet you must configure services like iptables - SELinux - SSL …

1 Like

This is an interesting question. Is Graylog designed to withstand noise/fuzzing?

Well, for one, unless you set up timestamp validation, you can be easily poisoned by bad timestamps, causing all your indices to show index ranges like “4000BC to 24000AD”. That will force Graylog to search all indices even though you asked for “last 15 minutes” and degrades performance.

But more generally - If you allow logs to be spoofed, how can you trust them when time comes?

SSL with a client certificate sounds like a good idea.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.