What Do I Log?
Because PCI Requirement 10 requires that logging mechanisms be enabled, we often hear clients ask, “What do I log?” The PCI DSS gives us specific insight into which events need to be logged so that audit trails can provide a history to help identify and trace malicious activities. PCI Requirement 10.2 requires that organizations implement automated audit trails for all system components to reconstruct the following events:
- All individual user accesses to cardholder data
- All actions taken by any individual with root or administrative privileges.
- Access to all audit trails.
- Invalid logical access attempts.
- Use of and changes to identification and authentication mechanisms — including, but not limited to, creation of new accounts and elevation of privileges — and all changes, additions, or deletions to accounts with root or administrative privileges.
- Initialization, stopping, or pausing of the audit logs.
- Creation and deletion of system-level objects.
From an organizational perspective, you’re required to have logging enabled. We often hear the question, “Well, what do I log?” The PCI DSS is very specific in terms of the events that occur that need to be logged, and you can find those specific requirements in PCI Requirement 10.2. The following topics are those items that need to be logged.