Monitoring Splunk

Back up audit logs for PCI compliance

melfice0023
Explorer

Hi,

Just wanna ask if splunk has the ability to backup audit trailes to a centralized log server or media as indicated in pci dss 10.5.3?? Please someone reponse to my query. Thanks!

0 Karma
1 Solution

kristian_kolb
Ultra Champion

I think there is a slight confusion of terminology here. While martin_mueller is certainly right about Splunk creating it's own audit trail, I guess that what you mefice0023 is asking about is if Splunk is a good tool for centralized logging of other applications' audit trails in a PCI-compliance perspective.

The answer to that is yes.

With Splunk you can get

  1. Near real-time transfer of logs from the generating system (for most types of data sources) (PCI 10.5.3)
  2. Encrypted log transfers (when using agent-based collection method) (PCI 4.1 if logs contain cardholder data)
  3. Be able to detect if logs have been tampered with (PCI 10.5.2)
  4. Create reports and alerts based on log content, for distribution to reviewers (PCI 10.6)
  5. Have role-base access control to log data stored in the central solution (PCI 10.5.1)
  6. Handle automatic retention/purging of log data (PCI 10.7)

So as you see, Splunk is a bit more than a secure file server. There are probably more direct mappings of Splunk functionality to PCI-DSS requirements, but these are the ones I came to think of right now. As martin_mueller also mentioned, there is a specific add-on to Splunk, called the PCI Compliance app, which helps with no 4 in the list above, and that is not a small part.

Hope this helps a little bit,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

I think there is a slight confusion of terminology here. While martin_mueller is certainly right about Splunk creating it's own audit trail, I guess that what you mefice0023 is asking about is if Splunk is a good tool for centralized logging of other applications' audit trails in a PCI-compliance perspective.

The answer to that is yes.

With Splunk you can get

  1. Near real-time transfer of logs from the generating system (for most types of data sources) (PCI 10.5.3)
  2. Encrypted log transfers (when using agent-based collection method) (PCI 4.1 if logs contain cardholder data)
  3. Be able to detect if logs have been tampered with (PCI 10.5.2)
  4. Create reports and alerts based on log content, for distribution to reviewers (PCI 10.6)
  5. Have role-base access control to log data stored in the central solution (PCI 10.5.1)
  6. Handle automatic retention/purging of log data (PCI 10.7)

So as you see, Splunk is a bit more than a secure file server. There are probably more direct mappings of Splunk functionality to PCI-DSS requirements, but these are the ones I came to think of right now. As martin_mueller also mentioned, there is a specific add-on to Splunk, called the PCI Compliance app, which helps with no 4 in the list above, and that is not a small part.

Hope this helps a little bit,

Kristian

melfice0023
Explorer

@Kristian. You are great, you answered what i'm looking for. Thank you for the references. Now i understand it clearly 🙂

0 Karma

kristian_kolb
Ultra Champion

When splunking your logs, they will be stored within splunk in something called 'indexes', so they will not be kept as the files they once were. However, each event will be kept and it's integrity can be verified.

Read more here.

http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Howindexingworks
http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/HowSplunkstoresindexes

0 Karma

melfice0023
Explorer

Thank you Kristian for your response 🙂 this helps a lot and answered my query. But may i ask where will the logs will be transferred? Sorry fow asking.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Splunk does splunk its own audit trail inside splunk, into the index _audit. Apps like the PCI Compliance Suite make use of this already - see the various views and forms available under the Audit menu if you already have a version running, or contact your local splunk partner / sales for buying one 🙂

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do a search like this:

index=_audit

You'll see your audit logs all lined up nicely. If you need those backed up on top of having them inside splunk you can add that index to your regular backup of splunk data.

0 Karma

melfice0023
Explorer

Hi Martin,

Thanks for your response 🙂 so in short its possible to backup our audit logs right. i only have a free version running here. 🙂 sorry if i asked this kind of question, i'm totally new here.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...