I have a new Grafana Cloud tenant within my organization. The Security Department previously implemented a feature to ensure the integrity of logs in the monitoring system before using Grafana. The approach was as follows:
log_1: hash + salt(log_1)
log_2: hash + salt(log_2 + hash + salt(log_1))
They are now asking whether Grafana Cloud has a native or default feature that covers this security requirement, but I haven’t been able to find any references in the documentation.
Could you help clarify if Grafana Cloud provides such a feature?
I don’t think so, because this hashing doesn’t scale horizontally. It must be state full app, which is processing logs in the order.
Hashing on the Grafana cloud side also doesn’t seems to right from the security point of view. What if attacker will modify your log transfer to Grafana cloud = logs will be modified before reaching Grafana Cloud/hashing - integrity check won’t detect any issue. I would rather use your existing legacy on-prem hashing and send logs with hashes to Grafana Cloud then.
You’re right; hashing doesn’t scale horizontally. However, I’m referring more to other possible solutions Grafana Cloud might offer to provide integrity at rest, such as immutability or something similar.
Regarding the case of an attacker modifying logs in transit, you’re talking about integrity in transit, which is out of scope for this question.
For the sentence “I would rather use your existing legacy on-prem hashing and send logs with hashes to Grafana Cloud then” I don’t fully understand your conclusion. You initially mentioned that hashing isn’t a great option, but now you’re suggesting to continue with it.
Thanks for the suggestion! However, the design team brought up a concern regarding hashing in a multi-instance environment, as we’re using multiple instances for logging. Specifically, hashing each log entry sequentially could be problematic because logs from different instances may be interleaved. This interpolation of log sequences across instances disrupts the continuity required for consistent hashing, as the expected sequence can’t be maintained reliably.
This is why we’re looking for a solution that ensures integrity at rest without relying on the log sequence across instances. Does Grafana Cloud offer such a solution?
I don’t know. This is community forum. You are asking for very specific enterprise feature with specific algorithm. I don’t believe that’s possible. But ask your Grafana Cloud support.
