What logs to retain for PCI-DSS?

Generally, the most conservative answer comes in the form of something easily understood, and approachable by the general populous.

Log Retention Recommendations

Ignoring the hyperbole of that kind of response, there are two things you must really take into account.

  1. What logs should I retain
  2. How long should I retain said logs

Log Retention

The answer to 2 is simple and well defined by the standard. Logs must be retained for one year and the last three months must be easily accessible. So let's translate that statement into my own recommendation

  • Implement a centralized logging system, e.g. a single purpose system acting as a syslog receiver
  • If storage is available on central system, then retain all logs from PCI scoped systems for 1 year
  • Otherwise retain all logs from PCI scoped systems on central system for 3 months, rotate all logs older than 3 months to long term storage (such as tape/VTL/papyrus). Expunge logs on long term storage that are older than 1 year.

Events to Log

The answer to the first point is a little less well defined. The standard wants you to keep events and details for all PCI scoped systems. So assuming you have determined every system that is in scope, the only question is what what events you want to log. This is much harder to answer, because it would largely depend on your environment and what applications are running. The easy answer is to ask your QSA. To be conservative I would recommend adding *.* @logserver to your syslog config files, or perform the Windows equivalent. Make sure that any non-syslog applications on those machines also find a way to get their logs out. This would include web server, fat clients, etc. At minimum make sure any authentications, successful and unsuccessful, are logged. If possible full audit logs of data access on applications would be nice. For web apps, this would be standard in your httpd logs, but fat clients may not be as granular.

In the end, since your QSA decides whether or not you are compliant, they are your best bet for answering these questions.


My experience with this is it depends on your PCI QSA (i.e. it's partially subjective). Try flipping through Anton Chuvakin's slidedeck for some tips:

PCI DSS and Logging: What you need to know:
http://www.slideshare.net/anton_chuvakin/pci-dss-and-logging-what-you-need-to-know-by-dr-anton-chuvakin