A Secure Audit Manager for E-CORRIDOR: Graylog

The E-CORRIDOR framework foresees a component for auditing purposes that is part of the CSI (Common Security Infrastructure) subsystem. This component is called Secure Audit Manager and in our case it is implemented using Graylog Open Source tool. 

 As stated in Deliverable D5.2 “the Secure Audit Manager provides a service for tracing events that occur during the E-CORRIDOR framework operational activity; services such as creating audit trails of the DSA policies evaluations and of user access to E-CORRIDOR services”.  

In order to receive log events, the GrayLog Log Management tool is required to configure Inputs for different types of sources. These components accept multiple message formats and communication mechanisms, and can further be integrated with configurable extractors to work on selected messages or even message subfields. The flexibility of Graylog has enabled the selection and tuning of messages flows suitable for different requirements by E-CORRIDOR applications and frameworks. 

 To facilitate E-CORRIDOR development partners, Graylog has been configured for receiving messages for the following four scenarios: 

•  Docker containers log information (all E-CORRIDOR subsystems run inside containers) 
• System events happening inside VMs hosting ECORRIDOR platforms 
• Messages from Application & ECORRIDOR platforms sent via REST API 
• Java application messages through commonly opensource Log4j library 

 A Content Pack specific for E-CORRIDOR has been released to developers preconfiguring the following Graylog Inputs: 

• Syslog for system events; 
• GELF TCP for Docker container logs and Log4j appender; 
• GELF HTTP for the REST API. 

The following picture shows the interconnections between E-CORRIDOR components (applications & platform) with Graylog, highlighting the different channels used from the containers to the Inputs connectors. 

As part of the typical internal dissemination activities, Graylog features and E-CORRIDOR specific integration have been presented to the partners together with a live Demo. 

 During this webinar the four different scenarios were analyzed in depth starting from the source code in the GitLab repository following with docker-compose configuration, also providing sample configuration for Log4j . 

 Live demo messages arriving from the four different scenarios have been collected by Graylog where they have been filtered by severity generating alarms and notifications to the operators.