Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Back up audit logs for PCI compliance

melfice0023
Explorer
‎05-08-2013 02:20 AM

Hi,

Just wanna ask if splunk has the ability to backup audit trailes to a centralized log server or media as indicated in pci dss 10.5.3?? Please someone reponse to my query. Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-08-2013 06:49 AM

I think there is a slight confusion of terminology here. While martin_mueller is certainly right about Splunk creating it's own audit trail, I guess that what you mefice0023 is asking about is if Splunk is a good tool for centralized logging of other applications' audit trails in a PCI-compliance perspective.

The answer to that is yes.

With Splunk you can get

  1. Near real-time transfer of logs from the generating system (for most types of data sources) (PCI 10.5.3)
  2. Encrypted log transfers (when using agent-based collection method) (PCI 4.1 if logs contain cardholder data)
  3. Be able to detect if logs have been tampered with (PCI 10.5.2)
  4. Create reports and alerts based on log content, for distribution to reviewers (PCI 10.6)
  5. Have role-base access control to log data stored in the central solution (PCI 10.5.1)
  6. Handle automatic retention/purging of log data (PCI 10.7)

So as you see, Splunk is a bit more than a secure file server. There are probably more direct mappings of Splunk functionality to PCI-DSS requirements, but these are the ones I came to think of right now. As martin_mueller also mentioned, there is a specific add-on to Splunk, called the PCI Compliance app, which helps with no 4 in the list above, and that is not a small part.

Hope this helps a little bit,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-08-2013 06:49 AM

I think there is a slight confusion of terminology here. While martin_mueller is certainly right about Splunk creating it's own audit trail, I guess that what you mefice0023 is asking about is if Splunk is a good tool for centralized logging of other applications' audit trails in a PCI-compliance perspective.

The answer to that is yes.

With Splunk you can get

  1. Near real-time transfer of logs from the generating system (for most types of data sources) (PCI 10.5.3)
  2. Encrypted log transfers (when using agent-based collection method) (PCI 4.1 if logs contain cardholder data)
  3. Be able to detect if logs have been tampered with (PCI 10.5.2)
  4. Create reports and alerts based on log content, for distribution to reviewers (PCI 10.6)
  5. Have role-base access control to log data stored in the central solution (PCI 10.5.1)
  6. Handle automatic retention/purging of log data (PCI 10.7)

So as you see, Splunk is a bit more than a secure file server. There are probably more direct mappings of Splunk functionality to PCI-DSS requirements, but these are the ones I came to think of right now. As martin_mueller also mentioned, there is a specific add-on to Splunk, called the PCI Compliance app, which helps with no 4 in the list above, and that is not a small part.

Hope this helps a little bit,

Kristian

Reply
Solved! Jump to solution

melfice0023
Explorer
‎05-09-2013 11:00 PM

@Kristian. You are great, you answered what i'm looking for. Thank you for the references. Now i understand it clearly 🙂

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-09-2013 11:58 AM

When splunking your logs, they will be stored within splunk in something called 'indexes', so they will not be kept as the files they once were. However, each event will be kept and it's integrity can be verified.

Read more here.

http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Howindexingworks
http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/HowSplunkstoresindexes

0 Karma
Reply
Solved! Jump to solution

melfice0023
Explorer
‎05-08-2013 06:19 PM

Thank you Kristian for your response 🙂 this helps a lot and answered my query. But may i ask where will the logs will be transferred? Sorry fow asking.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-08-2013 04:30 AM

Splunk does splunk its own audit trail inside splunk, into the index _audit. Apps like the PCI Compliance Suite make use of this already - see the various views and forms available under the Audit menu if you already have a version running, or contact your local splunk partner / sales for buying one 🙂

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-08-2013 04:47 AM

Do a search like this:

index=_audit

You'll see your audit logs all lined up nicely. If you need those backed up on top of having them inside splunk you can add that index to your regular backup of splunk data.

0 Karma
Reply
Solved! Jump to solution

melfice0023
Explorer
‎05-08-2013 04:42 AM

Hi Martin,

Thanks for your response 🙂 so in short its possible to backup our audit logs right. i only have a free version running here. 🙂 sorry if i asked this kind of question, i'm totally new here.

0 Karma
Reply
Get Updates on the Splunk Community!

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...