Configuring Security

You can configure LogScale to run with or without user authentication. Authorization and permissions are handled in LogScale, while users are authenticated and logged in using one of the following integrations:

Initial & Key Users

These sections of the documentation relate to an initial single user and the root user, as well as emergency users.

Single User

When starting, single-user authentication is offers some security compared to the no-authentication mode. It's perhaps the best method when first starting and learning LogScale. This linked page explains how to set up this.

Root Access

Root users have the privileges required to act as systems administrators for the LogScale cluster. They can add and remove other users. This linked page explains more.

Emergency Access

When something goes wrong with an identity provider, LogScale allows for local emergency users within the LogScale cluster. Click on the heading here to learn more.

RBAC & GDPR

These two specialized sections explain LogScale's authentication and access method, as well as how LogScale logs are generated.

Managing Users & Permissions

LogScale distinguishes between authentication (i.e., establishes user identity) and authorization (i.e., sets which activities are allowed by authenticated users). LogScale's role-based access control model enables authorization of users based on roles with sets of permissions.

Audit Logging

LogScale generates audit log events on many user activities. Per GDPR requirements, entries are marked as sensitive or non-sensitive, to make for a good audit trail.

Security Monitoring

Monitoring LogScale for security situations (e.g., hacker attempts, denial of service attacks, etc.), can be done with a number of different security monitoring systems, which can be integrated into LogScale:

Corelight Network Sensors

Corelight network sensors are available as software or appliances. They use over thirty-five different protocols and hundreds of log fields.

XSOAR Security Management

XSOAR is an extended security orchestration, automation and response platform with native threat intel management.

Zeek (Bro) Network Security Monitor

LogScale has pre-made dashboards for Zeek, and can analyze Zeek data.

Immutability of Data

LogScale is designed so that data, once digested to a repository, is immutable. You can not modify or edit the data. At rest, the data is encrypted and a checksum process is used on each segment to prevent corruption.

Data in a repository can only be deleted under certain conditions and with specific elevated privileges:

  • By time — Data is automatically purged at the end of the designated retention period. See Data Retention.

  • By manual deletion of the repository — A user with sufficient permissions can delete an entire repository. See Delete a Repository or View.

  • By API — A user with specific privileges and administrative power over a repo can leverage the Redact API to remove specific data. Redact Events API.

All of the above actions can only be performed by authorized users with the specific mentioned permissions tied to specific repositories.