PCI DSS 10.2.1.6: Audit Log Initialization and Stopping
Your audit logs are only as trustworthy as their completeness. PCI DSS 10.2.1.6 requires you to capture every initialization, stop, and pause event—ensuring no gaps in your accountability chain. Failing this control exposes unmonitored periods where unauthorized changes could occur undetected.
What this means
This control mandates that your system must automatically record when audit logging starts, stops, or pauses. These events themselves become part of the audit trail, creating a complete record of the logging system's operational status. This prevents attackers from disabling logs to cover their tracks and ensures you can reconstruct the full timeline of system activity.
How to comply
- 1.Configure your logging infrastructure to automatically capture initialization events when audit logging begins.
- 2.Enable alerts and logging when audit log collection is stopped or paused, whether intentionally or due to system failure.
- 3.Ensure these initialization/stopping events are recorded with timestamps and details about who or what triggered the change.
- 4.Implement controls to prevent unauthorized stopping or pausing of audit logs without notification.
- 5.Regularly review audit log initialization records to verify continuous logging coverage with no unexplained gaps.
- 6.Document your audit logging startup procedures and maintain change logs for all modifications to logging configurations.
Evidence auditors look for
- System logs showing audit log service start times with timestamps and user/process identifiers
- Configuration change records documenting when logging was enabled, disabled, or reconfigured
- Alerts triggered when audit log collection stopped unexpectedly or was manually disabled
- Syslog entries capturing audit daemon initialization across all monitored systems
- Change management tickets correlating with audit log start/stop events
- Centralized log aggregation records showing continuous receipt of initialization events
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically captures and correlates audit log initialization events across all your systems in a single dashboard, eliminating manual log parsing and reducing compliance verification time from hours to minutes.
See how GRCWatch handles this control automatically
Start free trial