0

I have a little problem with the logs stored in Splunk. As PCI-DSS enforces, servers, DB's and logs should be scanned quarterly in case of any card data and if found, the files should be destroyed. After our scan with cardrecon we found some PAN stored in log files on server and deleted the files. But Splunk also stores the logs of this server and according to PCI-DSS, logs stored on Splunk etc. can not be edited or deleted. Could you please give me an idea what to do with these logs, or if this situation is non-compliant with PCI-DSS. (By the way the card data includes only the PAN.)

Thanks

D.B.
  • 1

1 Answers1

0

In Requirement 10.5.3 it says

Promptly back up audit trail files to a centralized log server or media that is difficult to alter.

"Difficult" is not the same as "impossible". ;-)

In other words: you may alter the logs (e.g. mask the PAN) if you are authorized to do it. Of course it is better to check with you auditor before doing something like that. And ensure that this (logging of PAN) will not happen again, e.g. by using the re write-function of syslog-ng or anything like that.

Frank
  • 2,036
  • 1
  • 20
  • 32
  • Thanks, we are going to ensure that this will not happen again :) I understand you suggest that, it is better to check with our QSA if we can/should edit the logs already recorded isn't it? – D.B. Aug 25 '16 at 14:58
  • Yes. We had a similar problem and involved our QSA. It turned out that he wasn't amused but we were allowed to change the entries while he was watching and wrote a record to verify that nothign else was changed. Not the best way to handle things but better than leaving PANs unmasked. – Frank Aug 26 '16 at 09:11