GRCWatch
Sign inStart free trial

PCI DSS 10.3.3: Back Up Audit Logs to Secure Central Server

Audit logs are a critical security asset—but only if they're protected from tampering. PCI DSS 10.3.3 requires you to back up audit logs to a secure, centralized server or media that's difficult to modify. Without this control, attackers can alter or delete logs to cover their tracks, making breach detection nearly impossible.

What this means

This control mandates that audit log files generated across your systems are promptly copied to a central repository—such as a dedicated log server, SIEM platform, or secure storage media—that has restricted write access and tamper-evident protections. The goal is to ensure logs remain intact and accessible for investigation, even if an attacker compromises the original source system.

How to comply

  1. 1.Identify all systems that generate audit logs (servers, databases, applications, network devices).
  2. 2.Select a secure, centralized logging infrastructure (dedicated syslog server, cloud SIEM, or hardened appliance).
  3. 3.Configure automated log forwarding with encryption (TLS/SSL) from all sources to the central server.
  4. 4.Implement read-only access controls so logs cannot be modified or deleted by standard user accounts.
  5. 5.Enable log rotation and archival policies to maintain adequate retention (per PCI DSS 10.7 requirements).
  6. 6.Verify backup copies are created regularly and stored on separate, tamper-resistant media or offsite storage.
  7. 7.Test log recovery procedures quarterly to confirm backups are usable and intact.
  8. 8.Monitor for failed log transmissions and alert security teams immediately when issues occur.

Evidence auditors look for

  • Syslog server configuration showing centralized log collection from all systems
  • Firewall or network rules restricting log server access to authorized systems only
  • Log forwarding agent configurations (Splunk Universal Forwarder, Fluentd, rsyslog, Filebeat) with TLS certificates
  • Read-only file permissions and audit trails on the central log storage location
  • Backup job logs and verification reports confirming daily or weekly audit log backups
  • Offsite storage documentation (e.g., AWS S3, Azure Blob, third-party backup service) with encryption enabled
  • Log recovery test results demonstrating successful restoration of audit logs from backup
  • System monitoring alerts configured to detect failed log forwarding or backup failures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers all log sources in your environment, configures centralized forwarding to your SIEM or backup destination, monitors backup success rates, and alerts you to failures—eliminating manual log management and proving 10.3.3 compliance to auditors.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 10.1 — Implement User Access LoggingPCI DSS 10.2 — Implement Automated Audit TrailsPCI DSS 10.5.1 — Restrict Access to Audit LogsPCI DSS 10.6 — Review User Access and ActivityPCI DSS 10.7 — Retain Audit Log History