ITOP.HU
IMMUTABLE LOG MANAGEMENT SYSTEM
S3
Loki
MinIO
Grafana
Immutable logging with a cost-effective, open source stack
The EU NIS2 Directive sets strict requirements for cybersecurity and incident management.. Logging systems provide post-event analysis of security incidents and the basis for regulatory reports..
What does NIS2 expect in terms of logging?
- Long-term preservation: Reliable, intact log retention for years for incident investigation.
- Quick searching: Instantly find evidence (who, what, when, where).
- Centralized tracking: Aggregated monitoring of security events and configuration changes.
- Data residency: Logs under your own control, preferably in the EU, compliant with GDPR.
Modern logging architecture is built on open source components that together ensure scalability, reliability, and cost-effectiveness.
This stack is specifically designed for the needs of large enterprises and critical infrastructure, while fully complying with NIS2 specifications.
Az architektúra fő kompenesei
Loki
Centralized log collection engine
MinIO
S3-compatible object storage
Grafana
Visualization and analysis interface
LOG sources
Agents and data collection
Loki (SimpleScalable mode)
A centralized log collection and storage engine specifically optimized for containerized and Kubernetes environments.
- Data ingestion: Receive application, system, and network logs sent by node agents (e.g. Promtail, Fluent Bit).
- Efficiency: It uses labels for indexing, which provides efficient searching and lower hardware requirements compared to classic Elasticsearch-based systems.
- Scalability: SimpleScalable mode allows the separation of the read/write and storage layers, making the system horizontally scalable and suitable for multi-tenant deployments.
MinIO (S3-compatible object storage)
An object store serving as the backend of Loki, ensuring data integrity.
- Immutable log retention: Immutability can be guaranteed with bucket-policy and object-lock (WORM) settings.
- WORM principle: After writing, the log object cannot be deleted or modified, it is read-only.
- NIS2 compliance: Retention times (e.g. 18-24 months) can be adjusted to meet audit needs.
- Data residency: Running on-prem or in hybrid mode, logs remain in the EU, under your own control, meeting GDPR requirements.
Grafana
Central interface for visualization and analysis of logs.
- Log exploration: Filtering based on tags and full text, timeline management and correlation analysis.
- Dashboards:
- Infrastructure status (CPU, memory, storage, node health).
- Security events (failed logins, suspicious IP addresses, admin activity).
- NIS2 audit-relevant reports (security event overview, log coverage, retention status).
- Alerting: Send alerts via email, webhook or to ITSM/SOC systems (e.g. iTop, Stellar Cyber).
Log sources and agents
The collection process ensures that all relevant data is entered into the central system.
- Data collection: Using Promtail, Fluent Bit or other syslog agents on Linux/Windows servers and network devices.
- Security: TLS encryption and certificate-based authentication during data transmission.
- Central Onboarding: A strict process ensures that a new system can only go live if its logging has already been integrated into the stack.
Operation and implementation
The solution fits flexibly into the existing infrastructure.
- Containerized deployment: Kubernetes-based deployment (Helm, Terraform), versionable and reproducible stack.
- Multi-tenant (MSSP) model: Log separation with tenant IDs, namespace-based authorization management.
- Implementation steps:
- Designing: Assesment of needs.
- Pilot: Validation of proof-of-concept environment.
- Rollout: Gradual introduction and fine-tuning.
- Operation: Monitoring, backup and compliance review
Why choose this stack?
- NIS2-compatible and open: Without vendor lock-in, with 60-70% cost savings.
- Scalable: Scales up to petabytes of data on-premise or in a private cloud.
- Integrated: Not “just another box,” but a natural addition to your existing security infrastructure.
