For requirement 10 we are gathering log data to a centralized system for correlation and long-term storage. A majority of these log feeds are syslogs via UDP protocol. Is use of UDP an issue?

I've heard it argued that as UDP does not perform a handshake to confirm receipt of a given message that it is too unreliable if we truly want to have the log data needed for forensic analysis should a breach occur. But I've also seen posts on the web that TCP is not much better (see http://blog.gerhards.net/2008/04/on-unreliability-of-plain-tcp-syslog.html for one such example).

I do not see use of TCP as a requirement, but what are others really using? If not UDP then what?

When it comes to forensic best-practices, the most important things to aim for are:

1) Using a standard approach. In this case (by way of example), that means it is far, far better to use ordinary syslog rather than anything third-party proprietary or home-grown *even* if that solution is more secure

2) Being consistent. Have procedures for forensic-related requirements, e.g. checking the log-server clock is accurate every day. Document them and use check-boxes to show they get done. Apply these across the board.

As long as you can meet these requirements, you should be okay forensically.

Regards
Al. (civilian forensic investigator and trainer for various UK police forces, 1999-2004).

UDP is a stateless protocol. If the log data gets missed and you are using UDP to transmit the log data, you will never know you missed it.

One method of addressing your concern is to dedicate a VLAN to nothing but administration and logging and making its priority higher than your other VLANs but lower than your VoIP VLAN. That way you are less likely to suffer loss of data. Another option is to pick up log data in batch after hours. This approach doesn't lend itself for real time analysis and may be unrealistic if you have too many servers or a tremendously large amount of log data, but still meets the requirements of the PCI DSS.

A lot of centralized logging solutions maintain the original log message data and then parse and stratify those log messages in a database. That way, if you ever need to go back to the original log entry, you have that option.