There are several items within the PCI DSS 1.1 spec that seem simple enough on the surface, but are extremely difficult once you dive into the implementation details. For example:
10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
I am finding this item difficult to truly get my hands around. I am find with using a tool like trip wire to md5sum the log file post log rotation. However, I can't figure out how to handle the logs that are actively being appended too. The premise of file integrity tools is to notify of changes to that file, regardless of whether its an addition or subtraction. Continual appending of an active log file, means that the file is constantly changing. If file integrity monitoring is configured not to alert on the new data being added, how can it alert on data be subtracted?
For instance, how does this protect against a rogue administrator going in and removing certain log entries from the active log to cover his tracks?
Short of spending extremely large sums of money on extravagant appliance solutions such as loglogic, how are others addressing this requirement?