PCI Compliance requirement 10.5 - How can Wazuh ensure the audit trail (log file) can not be altered as per requirement

[Jacky Ang]

Hi Team,

I have a question with the PCI compliance requirement that "How do Wazuh ensure the Log File in the Wazuh server is being monitored and can not be altered by someone?"

Perhaps some one could help to give some guide and steps how to make the task success.

Thanks in advance.

Regards,

Jacky Ang

[Yana Zaeva]

Hi Jacky,
First of all, sorry for the late response. Concerning your question, Wazuh ensure that the Log File cannot be altered by anyone by performing Log Analysis and File Integrity Checking. In order to configure Log Analysis to monitor a specific file on the server, we may add the following lines to ossec.conf:
<localfile>
  <location>/file/path/to/be/monitored</location>
  <log_format>syslog</log_format>
</localfile>

On the other hand, to configure File Integrity Checking (in order to detect changes in a desired file), we may add the next lines to the agent.conf:
<syscheck>
    <directories check_all="yes" >/file/path/to/detect/changes</directories>
</syscheck>

I will leave you some useful links:

• https://documentation.wazuh.com/3.13/user-manual/capabilities/log-data-collection/log-data-configuration.html
• https://documentation.wazuh.com/3.13/pci-dss/file-integrity-monitoring.html
  
• https://wazuh.com/resources/Wazuh_PCI_DSS_Guide.pdf  
  
• https://documentation.wazuh.com/3.13/user-manual/capabilities/file-integrity/index.html   
  

Do not hesitate to contact if you have any doubt! 

[Jacky Ang]

Hi Yana,

Thank you very much with the clear answer and it helps a lot. Really appreciate this.

Regards,

Jacky Ang