Monitoring Splunk
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Back up audit logs for PCI compliance

melfice0023
Explorer
‎05-08-2013 02:20 AM

Hi,

Just wanna ask if splunk has the ability to backup audit trailes to a centralized log server or media as indicated in pci dss 10.5.3?? Please someone reponse to my query. Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-08-2013 06:49 AM

I think there is a slight confusion of terminology here. While martin_mueller is certainly right about Splunk creating it's own audit trail, I guess that what you mefice0023 is asking about is if Splunk is a good tool for centralized logging of other applications' audit trails in a PCI-compliance perspective.

The answer to that is yes.

With Splunk you can get

  1. Near real-time transfer of logs from the generating system (for most types of data sources) (PCI 10.5.3)
  2. Encrypted log transfers (when using agent-based collection method) (PCI 4.1 if logs contain cardholder data)
  3. Be able to detect if logs have been tampered with (PCI 10.5.2)
  4. Create reports and alerts based on log content, for distribution to reviewers (PCI 10.6)
  5. Have role-base access control to log data stored in the central solution (PCI 10.5.1)
  6. Handle automatic retention/purging of log data (PCI 10.7)

So as you see, Splunk is a bit more than a secure file server. There are probably more direct mappings of Splunk functionality to PCI-DSS requirements, but these are the ones I came to think of right now. As martin_mueller also mentioned, there is a specific add-on to Splunk, called the PCI Compliance app, which helps with no 4 in the list above, and that is not a small part.

Hope this helps a little bit,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-08-2013 06:49 AM

I think there is a slight confusion of terminology here. While martin_mueller is certainly right about Splunk creating it's own audit trail, I guess that what you mefice0023 is asking about is if Splunk is a good tool for centralized logging of other applications' audit trails in a PCI-compliance perspective.

The answer to that is yes.

With Splunk you can get

  1. Near real-time transfer of logs from the generating system (for most types of data sources) (PCI 10.5.3)
  2. Encrypted log transfers (when using agent-based collection method) (PCI 4.1 if logs contain cardholder data)
  3. Be able to detect if logs have been tampered with (PCI 10.5.2)
  4. Create reports and alerts based on log content, for distribution to reviewers (PCI 10.6)
  5. Have role-base access control to log data stored in the central solution (PCI 10.5.1)
  6. Handle automatic retention/purging of log data (PCI 10.7)

So as you see, Splunk is a bit more than a secure file server. There are probably more direct mappings of Splunk functionality to PCI-DSS requirements, but these are the ones I came to think of right now. As martin_mueller also mentioned, there is a specific add-on to Splunk, called the PCI Compliance app, which helps with no 4 in the list above, and that is not a small part.

Hope this helps a little bit,

Kristian

Reply
Solved! Jump to solution

melfice0023
Explorer
‎05-09-2013 11:00 PM

@Kristian. You are great, you answered what i'm looking for. Thank you for the references. Now i understand it clearly 🙂

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-09-2013 11:58 AM

When splunking your logs, they will be stored within splunk in something called 'indexes', so they will not be kept as the files they once were. However, each event will be kept and it's integrity can be verified.

Read more here.

http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Howindexingworks
http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/HowSplunkstoresindexes

0 Karma
Reply
Solved! Jump to solution

melfice0023
Explorer
‎05-08-2013 06:19 PM

Thank you Kristian for your response 🙂 this helps a lot and answered my query. But may i ask where will the logs will be transferred? Sorry fow asking.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-08-2013 04:30 AM

Splunk does splunk its own audit trail inside splunk, into the index _audit. Apps like the PCI Compliance Suite make use of this already - see the various views and forms available under the Audit menu if you already have a version running, or contact your local splunk partner / sales for buying one 🙂

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-08-2013 04:47 AM

Do a search like this:

index=_audit

You'll see your audit logs all lined up nicely. If you need those backed up on top of having them inside splunk you can add that index to your regular backup of splunk data.

0 Karma
Reply
Solved! Jump to solution

melfice0023
Explorer
‎05-08-2013 04:42 AM

Hi Martin,

Thanks for your response 🙂 so in short its possible to backup our audit logs right. i only have a free version running here. 🙂 sorry if i asked this kind of question, i'm totally new here.

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top