2

I am currently setting up logging with graylog for my system and have a problem, that the logs can potentially contain sensitive information. The standard behaviour is to send the logs unencrypted via UDP to prevent the application from blocking. Is there any way to secure it while keeping the UDP connection? If graylog is not the right tool for it, I'll be happy to switch to the one which offers this functionality. What is your experience, how should I implement the logging if I want to maintain the security of my application and do not want to introduce the latency coming with logging via https?

mryvlin
  • 153
  • 5
  • 2
    I beg your pardon, "latency coming with logging via https" ? What does that mean ? – drookie Feb 22 '16 at 08:15
  • 1
    you can use rsyslog or syslog-ng – Neil McGuigan Feb 22 '16 at 18:59
  • 1
    @drookie sorry if I didn't say it clear. If I would log over https, it will be a synchronious call with establishing the connection, the handshake and so on. Every time I would want to log something all these steps will be executed over and over again adding this to the overall execution time – mryvlin Feb 23 '16 at 10:25

2 Answers2

5

There are many options, which can be layered together for better privacy:

  • configure the network logger to use encryption... if greylog doesn't support this, it would mean using something else. For example rsyslog supports encryption with TLS.
  • tunnel it through a VPN such as openvpn, such as with a static key which is trivial to set up
  • tunnel it through an ssh local port forward

No encryption should be assumed to be perfect. If you aren't too paranoid, just one of the above may be sufficient. If you are paranoid, then use them all together if possible. And if truly paranoid about very sensitive data, it's best not to send it over the wire at all.

Peter
  • 2,546
  • 1
  • 18
  • 25
1

I completely agree with Peter's answer, but to expand a little I pose one more question: Do you deal with plain syslog messages or does you application already send structured messages in GELF?

For plain syslog the proven and reliable setup is a central logserver using rsyslog or syslog-ng (both implement TLS transport, use whatever you distro uses by default or the one with the nicer config syntax). Have them collect all syslog messages locally and forward via TLS to your central logserver (may be identical with your Graylog2 server). Have the instance on the logserver receive all messages, optionally archive them to disk (or decide to avoid that risk if they contain sensitive information), finally forward them to your Graylog2 instance.

For structured messages the setup is not as easy. I am not sure if there is a reliable GELF/TCP support. If there is then you could secure the TCP transport with an ssh tunnel or an stunnel TLS connection. Otherwise you are left with UDP which ist somewhat more difficult to tunnel, so you might have to setup a VPN (with openvpn) to secure the log transport.

mschuett
  • 3,066
  • 20
  • 21