Ctrl + K

10.2.1.6 Audit logs capture all initialization, stopping, or pausing of the audit logs.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

10.2.1.6 Audit logs capture the following:

All initialization of new audit logs, and
All starting, stopping, or pausing of the existing audit logs.

Customized Approach Objective

Records of all changes to audit log activity status are captured.

Defined Approach Testing Procedures

10.2.1.6 Examine audit log configurations and log data to verify that all elements specified in this requirement are captured.

Purpose

Turning off or pausing audit logs before performing illicit activities is common practice for malicious users who want to avoid detection.

Initialization of audit logs could indicate that a user disabled the log function to hide their actions.

purpose

Log initialization, stopping, or pausing of audit logs.

compliance strategies

Log service state changes
Alert on log service stoppage

typical policies

Log Management Policy

common pitfalls

No monitoring for log service interruptions

difficulty

Moderate

key risks

Loss of critical audit data

recommendations

Automate alerts for log service status changes

Eligible SAQ

SAQ-A-EP
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.

Link copied to clipboard!