GRCWatch
Sign inStart free trial

PCI DSS 10.2.1.6: Audit Log Initialization and Stopping

Your audit logs are only as trustworthy as their completeness. PCI DSS 10.2.1.6 requires you to capture every initialization, stop, and pause event—ensuring no gaps in your accountability chain. Failing this control exposes unmonitored periods where unauthorized changes could occur undetected.

What this means

This control mandates that your system must automatically record when audit logging starts, stops, or pauses. These events themselves become part of the audit trail, creating a complete record of the logging system's operational status. This prevents attackers from disabling logs to cover their tracks and ensures you can reconstruct the full timeline of system activity.

How to comply

  1. 1.Configure your logging infrastructure to automatically capture initialization events when audit logging begins.
  2. 2.Enable alerts and logging when audit log collection is stopped or paused, whether intentionally or due to system failure.
  3. 3.Ensure these initialization/stopping events are recorded with timestamps and details about who or what triggered the change.
  4. 4.Implement controls to prevent unauthorized stopping or pausing of audit logs without notification.
  5. 5.Regularly review audit log initialization records to verify continuous logging coverage with no unexplained gaps.
  6. 6.Document your audit logging startup procedures and maintain change logs for all modifications to logging configurations.

Evidence auditors look for

  • System logs showing audit log service start times with timestamps and user/process identifiers
  • Configuration change records documenting when logging was enabled, disabled, or reconfigured
  • Alerts triggered when audit log collection stopped unexpectedly or was manually disabled
  • Syslog entries capturing audit daemon initialization across all monitored systems
  • Change management tickets correlating with audit log start/stop events
  • Centralized log aggregation records showing continuous receipt of initialization events

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically captures and correlates audit log initialization events across all your systems in a single dashboard, eliminating manual log parsing and reducing compliance verification time from hours to minutes.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 10.2.1 — Log User AccessPCI DSS 10.2.2 — Log System EventsPCI DSS 10.2.3 — Log ExceptionsPCI DSS 10.2.4 — Log Privileged AccessPCI DSS 10.3 — Log ProtectionPCI DSS 10.7 — Log Review