Hi there,
I have a basic question: When using tools such as Snort, Adiscon EvntSlog, NTSyslog, etc to forward Windows Event Logs to a centralized syslog server (Unix or Windows), do these tools cause the 'raw' logs to become invalid because they have essentially been changed in the sense that they were parsed and may have different headers/formats/layouts in terms of the way the log entry looks?
During a demo presentation of a logging product, an SE mentioned that "log validation" is a crucial aspect of PCI Compliance (notably when the auditor is reviewing things) in that retaining the 'raw' log as it is duplicated to the central syslog server is necessary. The product uses an agentless method to collect logs and is Windows-based, so the whole point is that "This is more valid because you're pulling the raw Windows Event Logs and copying them over to another Windows machine. Therefore, you retain 100% validity vs using solutions that deploy agents: SNARE, etc"

Does anyone have more information on this? If this were true, wouldn't a majority of logging products out there be considered "invalid" since many use proprietary agents that parse Event Logs and usually change the formatting?

The intent of the PCI DSS section 10 is to make sure that an attacker cannot modify log file entries to hide or obscure their attack methods and techniques.

Central log management systems parse log information so that it can be properly indexed and searched. As long as the collection system does not modify the intent of the original message in its processing, then things should be fine from a PCI compliance perspective.

While I prefer log management systems that maintain an original copy of the complete log entry, this is not always possible due to a variety of reasons. Sometimes the original entry can provide additional information that the parser is not programmed to organize.