I am working at a large company and the people responsible for infrastructure gave us a GrayLog instance. Our team is enjoying GrayLog but we have a security concern.
When the VPN is active, any user on any machine, even our developer laptop seems to be able to write an entry in GrayLog.
The team raises the concern to the infrastructure department and we got an answer that because our logging is heavy, GrayLog is configured to use UDP, and there is no way to secure GrayLog to protect us against write from other users or applications than our teams/applications. The VPN is enough protection.
We are perplexed about this answer. Is there any documentation that confirms it is not possible to secure a GrayLog instance that is using a UDP?
Is it a requirement to use UDP? As you noted, it is not possible to encrypt UDP inputs due to UDP not supporting TLS.
If UDP is a requirement and you must use it (for example, syslog udp), you can use something like Graylog Forwarder (enterprise feature) or filebeat to receive the UDP traffic and send the data via TCP to graylog so that you can secure the inputs on the graylog side.
I understand the traffic may not be encrypted. Our concern is to create a gate before writing events to GrayLog so not everybody in the company can write in our GrayLog instance.
Is there any username/password in GrayLog to prevent other team to write in our GrayLog instance like a sql database?
hi @shapeshifter999,
I would guess that your company has a proper firewall with a proper ruleset. You can prevent everybody from reaching your Graylog via UDP and only allow the necessary sources to reach your Graylog.
