Secure writing to Graylog using UDP

Hello Community,

I am working at a large company and the people responsible for infrastructure gave us a GrayLog instance. Our team is enjoying GrayLog but we have a security concern.

When the VPN is active, any user on any machine, even our developer laptop seems to be able to write an entry in GrayLog.

The team raises the concern to the infrastructure department and we got an answer that because our logging is heavy, GrayLog is configured to use UDP, and there is no way to secure GrayLog to protect us against write from other users or applications than our teams/applications. The VPN is enough protection.

We are perplexed about this answer. Is there any documentation that confirms it is not possible to secure a GrayLog instance that is using a UDP?

Thank you,
Have a great day!

Is it a requirement to use UDP? As you noted, it is not possible to encrypt UDP inputs due to UDP not supporting TLS.

If UDP is a requirement and you must use it (for example, syslog udp), you can use something like Graylog Forwarder (enterprise feature) or filebeat to receive the UDP traffic and send the data via TCP to graylog so that you can secure the inputs on the graylog side.

Let me know if you have any questions.

Thank you for your answer Drew!

I understand the traffic may not be encrypted. Our concern is to create a gate before writing events to GrayLog so not everybody in the company can write in our GrayLog instance.

Is there any username/password in GrayLog to prevent other team to write in our GrayLog instance like a sql database?

Thank you for your time!

Many of the TCP inputs support TLS and can be configured to require TLS client authentication. See the screenshot below for the GELF TCP input:

When an input is configured in this way, only clients that use an allowed cert can connect and send data to that input.

Hope that helps.

Does those TCP inputs that support TLS works for UDP?

I feel it does not apply to UDP from a research.

No, the UDP inputs cannot be used with TLS.

hi @shapeshifter999,
I would guess that your company has a proper firewall with a proper ruleset. You can prevent everybody from reaching your Graylog via UDP and only allow the necessary sources to reach your Graylog.

Thank you Drew and Ihe for your feedbacks!

Have a great day!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.