You can configure LogScale to run with or without user authentication. Authorization and permissions are handled in LogScale, while users are authenticated and logged in using one of the following integrations:RBAC & GDPR
These two specialized sections explain LogScale's authentication and access method, as well as how LogScale logs are generated.
LogScale distinguishes between authentication (i.e., establishes user identity) and authorization (i.e., sets which activities are allowed by authenticated users). LogScale's role-based access control model enables authorization of users based on roles with sets of permissions.
LogScale generates audit log events on many user activities. Per GDPR requirements, entries are marked as sensitive or non-sensitive, to make for a good audit trail.
Monitoring LogScale for security situations (e.g., hacker attempts, denial of service attacks, etc.), can be done with a number of different security monitoring systems, which can be integrated into LogScale:
Corelight network sensors are available as software or appliances. They use over thirty-five different protocols and hundreds of log fields.
XSOAR is an extended security orchestration, automation and response platform with native threat intel management.
LogScale has pre-made dashboards for Zeek, and can analyze Zeek data.
Immutability of Data
LogScale is designed so that data, once digested to a repository, is immutable. You can not modify or edit the data. At rest, the data is encrypted and a checksum process is used on each segment to prevent corruption.
Data in a repository can only be deleted under certain conditions and with specific elevated privileges:
By time — Data is automatically purged at the end of the designated retention period. See Data Retention.
By manual deletion of the repository — A user with sufficient permissions can delete an entire repository. See Delete a Repository or View.
By API — A user with specific privileges and administrative power over a repo can leverage the Redact API to remove specific data. Redact Events API.
All of the above actions can only be performed by authorized users with the specific mentioned permissions tied to specific repositories.