Backup your log files in a suitable time frame and encrypt those backup logs with the public portion of a gpg key. Ensure that the private portion of the key (ability to decrypt / alter the file) is held by someone other than the resource owner (keep it in a safe, etc...) for which the logs are being generated. Keep an unencrypted instance of logs as needed for other tasks. Refer to the master, encrypted logs as needed in the event of forensics. Retain encrypted files on tape other other medium consistent with other requirements. This should work for PCI DSS 1.1 if the frequency of the backup is within 10.5 guidelines.
Slashdot Mirror
Backup your log files in a suitable time frame and encrypt those backup logs with the public portion of a gpg key. Ensure that the private portion of the key (ability to decrypt / alter the file) is held by someone other than the resource owner (keep it in a safe, etc...) for which the logs are being generated. Keep an unencrypted instance of logs as needed for other tasks. Refer to the master, encrypted logs as needed in the event of forensics. Retain encrypted files on tape other other medium consistent with other requirements. This should work for PCI DSS 1.1 if the frequency of the backup is within 10.5 guidelines.