Logging for PCI DSS

Stewart · Mar 23, 2018, 3:00 PM

PCI Compliance requires logging to be stored for 1 year for firewalls with the last 3 months to be readily available. How do we keep logging history for pfSense and be able to search through it for that long?

NogBadTheBad · Mar 23, 2018, 3:03 PM

@Stewart:

PCI Compliance requires logging to be stored for 1 year for firewalls with the last 3 months to be readily available. How do we keep logging history for pfSense and be able to search through it for that long?

Set up a syslog server and send the logs there.

Status -> System Logs -> Settings -> Remote Logging Options

Stewart · Mar 23, 2018, 3:33 PM

@NogBadTheBad:

@Stewart:

PCI Compliance requires logging to be stored for 1 year for firewalls with the last 3 months to be readily available. How do we keep logging history for pfSense and be able to search through it for that long?

Set up a syslog server and send the logs there.

Status -> System Logs -> Settings -> Remote Logging Options

That's what I was afraid of. It would be nice to just have the logs store locally. A bonus would be to be able to search it through the interface that's already there but we could always just grep from the cli.

Harvy66 · Mar 23, 2018, 3:51 PM

If you NEED logging to be saved securely, saving it on your firewall is a horrible place. What you want is to save it to another write-only server with regular backups.

Stewart · Mar 23, 2018, 5:29 PM

@Harvy66:

If you NEED logging to be saved securely, saving it on your firewall is a horrible place. What you want is to save it to another write-only server with regular backups.

The issue is when dealing with small networks. For example, I did a PCI self-audit of a deli yesterday. Their network consists of the pfSense router, 2 Clover POS stations, and a MacBook that uses Quickbooks online. To be compliant they need a years worth of firewall logs. It seems a bit over the top to require them to purchase a separate server to store those logs when the firewall has 120GB of storage sitting there to be filled and an interface that is able to search the existing logs already. If that's the way it is, then fine, but it sure would be nice to be able to store them locally.

Derelict · Mar 23, 2018, 8:21 PM

It's a firewall not a log server.

I would think you would also want to log machine data from all of the local devices to accomplish the same PCI compliance goals.

The Computer Guy · Mar 23, 2018, 11:06 PM

Raspberry PI can run as a Syslog Server.

So very little costs ;D