PCI Asset Logging
This report provides a list of all PCI assets that have stopped logging their data to Splunk platform or that have never logged data to Splunk platform. Use this report to ensure that all PCI assets are logging their data to Splunk platform. Use this report to repair any systems that are non-compliant in their logging configurations.
PCI DSS requires that audit logs from systems, applications, and devices in the cardholder data environment be promptly backed up to a central log server. Splunk platform functions as this central log server and monitors the data flow from all PCI assets.
Relevant data sources
Relevant data sources for this report include Splunk platform and audit logs.
How to configure this report
You do not have to configure this report. It uses Splunk platform metadata and the assets table to create results.
Report description
The data in the PCI Asset Logging report is populated by a lookup that runs against the assets.csv
file. You create the asset table. See Configure assets in this manual.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that you have data from your network device(s). | sourcetype=<expected_st> | Returns data from your network device(s). |
Verify that metadata is accessible and data exists for the hosts from which data is collected. | | `host_eventcount` | Returns host metadata. |
Verify that metadata is successfully joined with the asset table. | | `asset_eventcount` | Returns PCI asset logging data. |
Verify that PCI asset logging fields are populated. | | metadata type=hosts index=* | Returns table of PCI asset logging fields fields. |
Privileged User Activity | Vulnerability Scan Details |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2
Feedback submitted, thanks!