Logging for PCI DSS



  • PCI Compliance requires logging to be stored for 1 year for firewalls with the last 3 months to be readily available.  How do we keep logging history for pfSense and be able to search through it for that long?


  • Galactic Empire

    @Stewart:

    PCI Compliance requires logging to be stored for 1 year for firewalls with the last 3 months to be readily available.  How do we keep logging history for pfSense and be able to search through it for that long?

    Set up a syslog server and send the logs there.

    Status -> System Logs -> Settings -> Remote Logging Options



  • @NogBadTheBad:

    @Stewart:

    PCI Compliance requires logging to be stored for 1 year for firewalls with the last 3 months to be readily available.  How do we keep logging history for pfSense and be able to search through it for that long?

    Set up a syslog server and send the logs there.

    Status -> System Logs -> Settings -> Remote Logging Options

    That's what I was afraid of.  It would be nice to just have the logs store locally.  A bonus would be to be able to search it through the interface that's already there but we could always just grep from the cli.



  • If you NEED logging to be saved securely, saving it on your firewall is a horrible place. What you want is to save it to another write-only server with regular backups.



  • @Harvy66:

    If you NEED logging to be saved securely, saving it on your firewall is a horrible place. What you want is to save it to another write-only server with regular backups.

    The issue is when dealing with small networks.  For example, I did a PCI self-audit of a deli yesterday.  Their network consists of the pfSense router, 2 Clover POS stations, and a MacBook that uses Quickbooks online.  To be compliant they need a years worth of firewall logs.  It seems a bit over the top to require them to purchase a separate server to store those logs when the firewall has 120GB of storage sitting there to be filled and an interface that is able to search the existing logs already.  If that's the way it is, then fine, but it sure would be nice to be able to store them locally.


  • Netgate

    It's a firewall not a log server.

    I would think you would also want to log machine data from all of the local devices to accomplish the same PCI compliance goals.



  • Raspberry PI can run as a Syslog Server.

    So very little costs  ;D