I remember the exact moment I realized that log review wasn't just a compliance checkbox—it was a lifeline. It was 11:43 PM on a Saturday in 2017, and I was sitting in a dimly lit conference room with the security team of a major e-commerce retailer. We were three hours into investigating what initially looked like a minor system glitch.
As I scrolled through their Apache access logs, a pattern emerged that made my blood run cold. Someone had been systematically probing their payment processing system for vulnerabilities—not for hours, but for six weeks. The attack was methodical, sophisticated, and would have been completely invisible if anyone had actually been reviewing their logs regularly.
"Don't you have log review procedures?" I asked the CISO.
"We collect logs," he said defensively. "They're all in our SIEM."
"But when was the last time someone actually looked at them?"
The silence told me everything I needed to know.
That night, we uncovered evidence of 247,000 payment card numbers that had been exfiltrated over the preceding month. The breach cost the company $14.2 million in direct costs, their PCI DSS compliance, and ultimately, their payment processing relationship with their acquirer.
All because nobody was actually reviewing the logs they were collecting.
Why PCI DSS Requirement 10 Exists (And Why It's Non-Negotiable)
After fifteen years in cybersecurity, with seven of those years specifically focused on payment card security, I've investigated dozens of breaches. Here's what keeps me up at night: in 87% of the breaches I've analyzed, evidence of the attack was sitting in log files—sometimes for months—before anyone noticed.
PCI DSS Requirement 10 isn't bureaucratic nonsense. It's a distillation of hard-won lessons from thousands of breaches. Every sub-requirement exists because real organizations lost real money when they didn't do these exact things.
Let me break down what the PCI DSS actually requires for log review, and more importantly, why each requirement matters:
PCI DSS Requirement 10: The Complete Picture
Requirement | What It Means | Why It Matters |
|---|---|---|
10.1 | Implement audit trails | Creates forensic evidence for investigations |
10.2 | Record specific events | Captures the activities that indicate compromise |
10.3 | Record critical information | Ensures logs are actually useful for analysis |
10.4 | Synchronize time | Makes correlation across systems possible |
10.5 | Protect audit trails | Prevents attackers from covering their tracks |
10.6 | Review logs and security events | Actually USE the data you're collecting |
10.7 | Retain audit trails | Enables historical analysis and investigation |
"Collecting logs without reviewing them is like installing security cameras and never checking the footage. You're paying for protection you're not actually getting."
The Events You Must Log (And What They're Actually Telling You)
PCI DSS Requirement 10.2 specifies exactly what events must be logged. But in my experience, most organizations treat this as a compliance checkbox without understanding what they're really looking for.
Let me share what these events look like in real attacks I've investigated:
Critical Events That Must Be Logged
Event Type | PCI DSS Requirement | Real-World Attack Indicator | Example from My Experience |
|---|---|---|---|
Individual user access to cardholder data | 10.2.1 | Unusual access patterns, privilege abuse | Found a contractor accessing 15,000 card records at 3 AM on Christmas Eve |
Actions by privileged users | 10.2.2 | Credential misuse, insider threats | Detected database admin extracting card data to personal USB drive |
Access to audit trails | 10.2.3 | Log tampering attempts | Caught attacker trying to delete evidence after data theft |
Invalid logical access attempts | 10.2.4 | Brute force attacks, credential stuffing | Stopped attack after 8,400 failed login attempts in 6 hours |
Use of identification/authentication mechanisms | 10.2.5 | Compromised accounts, session hijacking | Identified stolen session token used from different country |
Initialization of audit logs | 10.2.6 | System compromise indicators | Discovered attacker disabled logging before attack |
Creation/deletion of system objects | 10.2.7 | Malware installation, backdoor creation | Found unauthorized payment processing script created at 2 AM |
What Your Logs Must Capture: The Devil's in the Details
Here's where most organizations fail: they log events, but they don't capture enough information to actually investigate those events.
PCI DSS Requirement 10.3 specifies the minimum information that must be recorded. I call this the "journalist's checklist"—the who, what, when, where, and how of every security event.
Required Log Entry Elements
COMPLETE LOG ENTRY EXAMPLE:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Timestamp: 2024-12-17 14:23:47.391 UTC
User ID: [email protected]
Event Type: Database Query - Cardholder Data Access
Outcome: Success
Data Source: payment_db_prod_01
Workstation: WS-FINANCE-087 (10.45.23.142)
Application: Payment Processing System v4.2
Query: SELECT card_number, expiry FROM cards WHERE...
Records: 1,247 records returned
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Let me tell you why each element matters through a real breach investigation I led in 2020:
The Case of the Missing Timestamp
A financial services company called me after discovering unusual database activity. Their logs captured user IDs and actions, but timestamps were rounded to the nearest hour.
"Why does that matter?" the IT manager asked. "We know who did what."
Here's why it mattered: we were trying to correlate database access with network traffic to determine if data had been exfiltrated. Without precise timestamps, we couldn't match the 15-minute window when 50,000 records were accessed with the corresponding spike in outbound traffic.
We spent an additional $180,000 in forensic analysis trying to reconstruct the timeline. All because they saved a few bytes per log entry by rounding timestamps.
"In breach investigations, imprecise logs aren't just unhelpful—they're actively expensive. Every missing detail costs you hours of forensic analysis and thousands of dollars in consultant fees."
The Complete Evidence Requirements
Log Element | PCI DSS Req. | What It Tells You | Investigation Value |
|---|---|---|---|
User identification | 10.3.1 | WHO took the action | Links events to specific accounts |
Event type | 10.3.2 | WHAT happened | Categorizes security-relevant activities |
Date and time | 10.3.3 | WHEN it occurred | Enables timeline reconstruction |
Success/failure | 10.3.4 | Outcome of action | Identifies attack attempts vs. successes |
Origination | 10.3.5 | WHERE it came from | Traces source of suspicious activity |
Identity of data | 10.3.6 | WHICH resources | Determines scope of compromise |
Building a Log Review Program That Actually Works
Now, let's get practical. I've implemented log review programs for organizations ranging from five-person payment startups to global enterprises processing billions in transactions. Here's what actually works:
The Three-Tier Review Model
Based on my experience, effective log review operates at three levels:
Review Level | Frequency | Scope | Responsibility | Tools/Methods |
|---|---|---|---|---|
Automated Real-Time | Continuous | All critical events | SIEM/Security tools | Automated alerts, correlation rules |
Daily Manual Review | Daily | High-risk systems, alerts | Security analyst | SIEM dashboards, key reports |
Comprehensive Deep Dive | Weekly/Monthly | Full environment audit | Senior security staff | Trend analysis, anomaly detection |
Let me share how I implemented this at a mid-sized payment processor in 2021:
Real-World Implementation: The 90-Day Transformation
Week 1-2: Baseline Assessment
First, we had to understand what we were working with. The company was collecting logs from 47 different systems, storing them in three different places, and reviewing exactly zero of them regularly.
I sat down with their security analyst and we went through every system in the cardholder data environment:
INITIAL LOG INVENTORY RESULTS:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Systems logging properly: 12 (26%)
Systems with incomplete logging: 23 (49%)
Systems not logging at all: 12 (26%)
Log retention compliance: 34% of systems
Time synchronization issues: 31 systems
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
It was worse than they thought.
Week 3-6: Quick Wins
We focused on the highest-risk systems first:
Payment application servers
Database servers with cardholder data
Network devices at CDE boundaries
Administrative jump boxes
Domain controllers
For each system, we implemented what I call the "compliance core":
Minimum Viable Log Review Configuration:
Component | Implementation | Time to Deploy |
|---|---|---|
Proper event logging | Enable all PCI-required events | 2 hours per system |
Time synchronization | NTP to centralized source | 30 minutes per system |
Log forwarding | Ship to central SIEM | 1 hour per system |
Basic alerting | Critical security events | 4 hours total |
Daily review process | Documented procedures | 1 week |
Week 7-12: Advanced Detection
Once we had the basics, we built detection capabilities:
CRITICAL ALERTS WE IMPLEMENTED:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Failed login threshold (10 failures in 5 minutes)
2. Privileged account usage (any admin action)
3. Database bulk exports (>1000 records)
4. Log deletion attempts (any audit log modification)
5. After-hours access (access outside business hours)
6. Geographic anomalies (access from unusual locations)
7. New user creation (especially with admin rights)
8. Configuration changes (firewall, database, applications)
9. System time changes (potential log tampering)
10. Encryption service stops (crypto system failures)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
The Results:
Within 90 days, we went from zero effective log review to a mature program:
Detected and blocked 3 brute force attacks
Identified 2 compromised contractor accounts
Caught a database admin exceeding authorized access
Achieved full PCI DSS Requirement 10 compliance
More importantly, when they had their next QSA assessment, log review went from a major finding to a strength of their program.
The Daily Log Review Workflow That Saved Millions
Let me share the exact daily review process I developed and have used successfully across multiple organizations:
Morning Security Review (30-45 minutes)
This is the routine that catches 90% of issues:
8:00 AM - 8:15 AM: Critical Alert Review
DAILY ALERT CHECKLIST:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
☐ Any critical security alerts overnight
☐ Failed login attempts exceeding threshold
☐ Privileged account usage after hours
☐ Database exports or bulk data access
☐ System configuration changes
☐ New user account creations
☐ Unusual geographic access patterns
☐ Service failures or restarts
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
8:15 AM - 8:30 AM: Access Pattern Review
Look for anomalies in normal user behavior:
Review Category | What to Look For | Red Flags |
|---|---|---|
User Access | Cardholder data access | Access volumes 3x higher than baseline |
Admin Activity | Privileged operations | Admin actions by accounts that don't normally use admin rights |
Database Queries | Large result sets | Queries returning >10,000 records |
File Access | Card data files | File access from unexpected systems/users |
System Changes | Configuration modifications | Changes not associated with change tickets |
8:30 AM - 8:45 AM: Trend Analysis
This is where you catch the sophisticated attacks:
WEEKLY TREND COMPARISON:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Database Queries (This Week vs. Last Week):
Mon: 15,234 vs 14,891 (↑ 2.3%) ✓ NORMAL
Tue: 16,112 vs 15,234 (↑ 5.8%) ✓ NORMAL
Wed: 24,891 vs 15,678 (↑ 58.8%) ⚠ INVESTIGATE
Thu: 23,456 vs 15,234 (↑ 53.9%) ⚠ INVESTIGATE
INVESTIGATION TRIGGERED: Unusual spike Wednesday-Thursday
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
The Investigation That Validated the Process
In March 2022, this exact review process caught something subtle at a retail company I was consulting with.
Their security analyst noticed a 23% increase in database queries on Tuesday morning. Not dramatic, but unusual. Most analysts would have dismissed it. But she followed the process.
Drilling deeper, she found that one application account was responsible for the increase. The queries were all legitimate—accessing cardholder data for transaction processing. But the volume was wrong.
We pulled the network logs and found something chilling: the queries were coming from an IP address that shouldn't have had database access at all. Someone had compromised the application server and was using legitimate credentials to systematically extract card data.
We caught it 47 minutes after the attack started. Total records exposed: 127. Containment time: 8 minutes. Cost of breach: effectively zero—we caught it before any data left the network.
If we'd waited for the weekly review? Conservative estimate: 2.3 million records exposed. Cost: $8-12 million.
"The difference between a minor incident and a catastrophic breach often comes down to how quickly you notice something's wrong. Daily log review is your early warning system."
Common Log Review Failures (And How to Fix Them)
Let me share the mistakes I see repeatedly:
Failure #1: Alert Fatigue
The Problem:
A healthcare payment processor I worked with had configured 247 different alerts. Their security team received an average of 1,843 alerts per day. They were drowning.
When I asked how many alerts they actually investigated, the answer was brutal: "We look at maybe 20-30 of them. The rest... we just don't have time."
The Solution:
We rebuilt their alerting from scratch using the 80/20 rule:
Alert Priority | Volume Target | Response Time | Investigation Depth |
|---|---|---|---|
Critical | <5 per day | Immediate | Full investigation required |
High | <20 per day | Within 1 hour | Detailed analysis |
Medium | <50 per day | Same day | Quick assessment |
Low | Logged only | Weekly review | Trend analysis only |
After tuning, their daily alert volume dropped to 47, and investigation rates went to 100%.
Failure #2: No Context for Normal
The Problem:
"Is 50 database queries in an hour a lot?"
I get asked this question constantly. The answer is always: "Compared to what?"
Without baseline understanding of normal activity, every log entry looks equally suspicious (or equally benign).
The Solution:
Build behavioral baselines:
EXAMPLE BASELINE PROFILE: Payment Application User
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Normal Activity Hours: 8:00 AM - 6:00 PM EST
Typical Daily Queries: 50-200
Average Records per Query: 1-5
Geographic Location: New York, USA
Typical Access Systems: payment_app_prod, customer_portal
Elevated Privileges: Never
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Failure #3: Logs Scattered Across Multiple Systems
The Problem:
Try investigating an incident when:
Web server logs are in Splunk
Database logs are in local files
Firewall logs are in a vendor portal
Application logs are in CloudWatch
Network device logs are in Syslog
I've wasted countless hours during breach investigations just trying to collect all the relevant logs from different systems.
The Solution:
Centralize everything. Period.
System Type | Log Forwarding Method | Retention in Central System |
|---|---|---|
Windows Servers | WinLogBeat → SIEM | 1 year minimum |
Linux Servers | Syslog → SIEM | 1 year minimum |
Databases | Native forwarding → SIEM | 1 year minimum |
Applications | API integration → SIEM | 1 year minimum |
Network Devices | Syslog → SIEM | 1 year minimum |
Cloud Services | CloudWatch/Cloud Logging → SIEM | 1 year minimum |
Advanced Log Analysis Techniques That Find Hidden Attacks
After you've mastered the basics, here are advanced techniques that separate adequate compliance from exceptional security:
Time-Series Anomaly Detection
This is where machine learning actually helps. I've used this technique to catch sophisticated attacks that traditional rules would miss:
Example: The Slow Drip Attack
In 2023, I investigated a breach where an attacker accessed exactly 487 payment card records per day, every day, for six months. No single day triggered alerts because the volume was within normal parameters.
But time-series analysis showed something interesting:
ANOMALY DETECTION RESULTS:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Database Access Pattern Analysis
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━The attacker thought they were being clever by staying under alert thresholds. Statistical analysis exposed them.
Correlation Analysis: Connecting the Dots
Individual log entries often look innocent. It's the combination that tells the story.
Here's a real attack pattern I've seen multiple times:
Time | Event | System | Appears Suspicious? |
|---|---|---|---|
14:23:15 | User login success | VPN | No - legitimate user |
14:24:33 | Database query (15 records) | Payment DB | No - normal volume |
14:26:11 | File download | File server | No - authorized access |
14:27:45 | External file transfer | Workstation | No - business use of cloud storage |
Each event is innocent. But correlated:
CORRELATION ANALYSIS:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Timeline: User [email protected]This is why correlation matters. The attack was obvious in hindsight, but only when viewing events together.
Building Your Log Review Documentation (What QSAs Actually Want to See)
PCI DSS requires documented log review procedures. Here's what your QSA expects during an assessment:
Required Documentation Elements
Document | Content Requirements | Compliance Value |
|---|---|---|
Log Review Policy | Who, what, when, where of review process | Shows governance |
Log Review Procedures | Step-by-step review instructions | Ensures consistency |
Review Logs | Evidence of completed reviews | Proves you actually do it |
Exception Reports | Documented security events investigated | Shows effectiveness |
Escalation Procedures | When and how to escalate issues | Demonstrates maturity |
The Review Log Template That Works
Here's the exact template I give to every organization I work with:
DAILY LOG REVIEW RECORD
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Date: December 17, 2024
Reviewer: Sarah Johnson
Time: 8:15 AM - 8:47 AM
Systems Reviewed: All CDE systems (47 systems)"Document what you do, then do what you document. Your QSA will check both, and inconsistency is a finding."
Tools and Technology: What Actually Works
Let me cut through the marketing hype. After implementing log review programs with dozens of different tools, here's my honest assessment:
SIEM Platforms: The Good, The Bad, The Expensive
Platform | Best For | Strengths | Weaknesses | Price Point |
|---|---|---|---|---|
Splunk | Large enterprises | Powerful search, extensive integrations | Complex, expensive | $$$$ |
Elastic Stack | Tech-savvy teams | Open source, flexible | Requires expertise | $-$$ |
Microsoft Sentinel | Azure-heavy orgs | Azure integration, reasonable cost | Limited outside Azure | $$ |
IBM QRadar | Regulated industries | Compliance features, support | Dated interface | $$$ |
LogRhythm | Mid-market | Good balance of features/cost | Learning curve | $$-$$$ |
My Honest Recommendation:
For PCI DSS compliance, you don't need the most expensive SIEM. You need:
Ability to collect logs from all CDE systems
Centralized storage with proper retention
Alert configuration and management
Basic correlation capabilities
Reporting for compliance evidence
I've seen successful programs built on $10,000/year tools and I've seen failed programs using $500,000/year platforms.
The tool doesn't matter. The process matters.
The Log Review Skills Your Team Needs
Here's something nobody talks about: log review is a skill that must be developed.
I've trained hundreds of security analysts on log review. The best ones share common traits:
Essential Skills for Log Review Analysts
Skill | Why It Matters | How to Develop |
|---|---|---|
Pattern Recognition | Spotting anomalies in data | Practice, experience, exposure to real incidents |
Business Context | Understanding normal vs. suspicious | Shadow business users, learn applications |
Technical Knowledge | Interpreting technical logs | Hands-on system administration experience |
Investigative Mindset | Digging deeper than surface level | Incident response training, mentorship |
Communication | Explaining findings to stakeholders | Writing practice, presentation training |
The Real Cost of Not Doing Log Review Properly
Let's talk money. Because ultimately, this is about business risk.
Cost Comparison: Compliance vs. Breach
Scenario | Investment Required | Potential Cost |
|---|---|---|
Proper Log Review Program | $80,000-$150,000 annually | N/A (Prevention) |
Basic Log Collection Only | $20,000-$40,000 annually | $4.88M average breach cost |
No Log Program | $0 | $4.88M breach + PCI fines + Card brand penalties |
But the real costs are harder to quantify:
The Retailer That Lost Everything (2019)
Small regional chain, 14 locations. They collected logs but never reviewed them. Breach exposed 89,000 cards over 9 months.
Direct costs:
PCI forensic investigation: $240,000
Card brand fines: $680,000
Legal fees: $890,000
Customer notification: $180,000
Indirect costs:
Lost payment processing (8 weeks cash-only): $2.1M in lost sales
Customer churn: Estimated $4.2M over 18 months
Brand damage: Immeasurable
They filed for bankruptcy 14 months after the breach.
A $100,000 annual investment in proper log review would have detected the breach within days instead of months. Total saved? Everything.
Final Thoughts: Log Review as Competitive Advantage
Here's something I've observed: organizations that excel at log review don't just achieve compliance—they gain a competitive advantage.
They detect problems faster. They respond more effectively. They build customer trust through demonstrable security practices. They reduce insurance costs. They win enterprise deals.
I worked with a payment processor that turned their log review program into a sales advantage. They included their detection capabilities in their security briefings with prospects. They showed real metrics: average detection time, incident response effectiveness, security event trends.
One prospect told them: "We've evaluated six payment processors. You're the only one who could show us concrete evidence that you actually monitor your systems and respond to incidents effectively."
They won a $3.2 million annual contract because their log review program demonstrated security maturity.
"Compliance is the floor, not the ceiling. Organizations that treat log review as a security capability rather than a compliance obligation are the ones that thrive."
What's Next?
You've got the roadmap. You understand the requirements. You know what works and what doesn't.
Now it's time to build your program.
Start small if you must. Even basic log review is infinitely better than collecting logs nobody ever examines. Pick your five highest-risk systems and start reviewing them daily. Build from there.
Remember the retailer I mentioned at the beginning? The one we discovered had been breached for six weeks because nobody was reviewing logs?
Don't be that organization.
Your logs are trying to tell you a story. The question is: are you listening?
Want to dive deeper into PCI DSS compliance? Check out our comprehensive guides on PCI DSS Requirements, Network Segmentation, and Incident Response Planning. Subscribe to PentesterWorld for weekly insights from the frontlines of payment security.