Wednesday, December 15, 2010

Complete PCI DSS Log Review Procedures, Part 9

Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company.  It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all.

This is the ninth post in the long, long series (part 1, part 2, part 3all parts). A few tips on how you can use it in your organization can be found in Part 1. You can also retain me to customize or adapt it to your needs.

Today’s section covers one of the most critical parts of any log review process – the main daily workflow! Pay attention, please Smile

And so we continue with our Complete PCI DSS Log Review Procedures:

Main Workflow: Daily Log Review

This is the very central piece of the log review – comparing the logs produced over the last day (in case of a daily review) with an accumulated baseline.

Daily workflow follows this model:


This diagram summarizes the actions of the log analyst who performs daily log review. Before we proceed, the issue of frequency of the log review needs to be addressed.

Frequency of Periodic Log Review

PCI DSS requirement 10.6 explicitly states that “Review logs for all system components at least daily.” It is assumed that daily log review procedures will be followed every day. Only your QSA may approve less frequent log reviews, based on the same principle that QSAs use for compensating controls. What are some of the reasons when less frequent log reviews may be approved? The list below contains some of the reasons why daily log review may be performed less frequently than every day.

· Application or system does not produce logs every day. If log records are not added every day, then daily log review is unlikely to be needed

· Log review is performed using a log management system that collects log in batch mode, and batches of logs arrive less frequently than once a day[1]

· Application does not handle or store credit card data; it is only in scope since it is directly connected to

Remember that only your QSA’s opinion on this is binding and nobody else’s!

How does one actually compare today’s batch of logs to a baseline? Two methods are possible; both are widely used for log review – the selection can be made based on the available resources and tools used. Specifically:


Out of the two methods, the first method only considers log types not observed before and can be done manually as well as with tools. Despite its simplicity, it is extremely effective with many types of logs: simply noticing that a new log message type is produced is typically very insightful for security, compliance and operations.

For example, if log messages with IDs 1,2,3,4,5,6 and 7 are produced every day in large numbers, but log message with ID 8 is never seen, each occurrence of such log message is reason for an investigation. If it is confirmed that the message is benign and no action is triggered, it can be later added to the baseline.

So, the summary of comparison methods for daily log review is:


· Basic method:

o Log type not seen before (NEW log message type)


· Advanced methods:

o Log type not seen before (NEW log message type)

o Log type seen more frequently than in baseline

o Log type seen less frequently than in baseline)

o Log type not seen before (for particular user)

o Log type not seen before (for particular application module)

o Log type not seen before (on the weekend)

o Log type not seen before (during work day)

o New user activity noted (any log from a user not seen before on the system)


While following the advanced method, other comparison algorithms can be used by the log management tools as well.

After the message is flagged as an exception, we move to a different stage in our daily workflow – from daily review to investigation and analysis.

[1] While such rare collection is not recommended, it is not entirely uncommon either.

To be continued.

Follow PCI_Log_Review to see all posts.

Possibly related posts:

Dr Anton Chuvakin