Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

PCI Asset Logging

This report provides a list of all PCI assets that have stopped logging their data to Splunk platform or that have never logged data to Splunk platform. Use this report to ensure that all PCI assets are logging their data to Splunk platform. Use this report to repair any systems that are non-compliant in their logging configurations.

PCI DSS requires that audit logs from systems, applications, and devices in the cardholder data environment be promptly backed up to a central log server. Splunk platform functions as this central log server and monitors the data flow from all PCI assets.

Relevant data sources

Relevant data sources for this report include Splunk platform and audit logs.

How to configure this report

You do not have to configure this report. It uses Splunk platform metadata and the assets table to create results.

Report description

The data in the PCI Asset Logging report is populated by a lookup that runs against the assets.csv file. You create the asset table. See Configure assets in this manual.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s). sourcetype=<expected_st> Returns data from your network device(s).
Verify that metadata is accessible and data exists for the hosts from which data is collected. | `host_eventcount` Returns host metadata.
Verify that metadata is successfully joined with the asset table. | `asset_eventcount` Returns PCI asset logging data.
Verify that PCI asset logging fields are populated. | metadata type=hosts index=* Returns table of PCI asset logging fields fields.
Last modified on 26 January, 2018
Privileged User Activity   Vulnerability Scan Details

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters