I going to setup my internet server to send logs to graylog server. I’m looking for some information what potential destruction can this bring to graylog server if my internet server is intercepted by some.
Description of steps you’ve taken to attempt to solve the issue
Documentation and forum search.
Environmental information
Operating system information
Ubuntu
Package versions
Graylog 3.0
MongoDB
Elasticsearch
Service logs, configuration, and environment variables
Hi,
Thanks for replying.
My question could be simplified to this: Is it safe to open Graylog Input tcp port to the internet?
(I’m not going to do this but it may happen that system sending logs could be source of malicious behaviour)
It’s better that your server be behind of Network Firewall
If server is independent and publish on internet you must configure services like iptables - SELinux - SSL …
This is an interesting question. Is Graylog designed to withstand noise/fuzzing?
Well, for one, unless you set up timestamp validation, you can be easily poisoned by bad timestamps, causing all your indices to show index ranges like “4000BC to 24000AD”. That will force Graylog to search all indices even though you asked for “last 15 minutes” and degrades performance.
But more generally - If you allow logs to be spoofed, how can you trust them when time comes?
SSL with a client certificate sounds like a good idea.