There are many SIEM solutions (commercial and open source) running around that will meet the PCI requirements as long as they are properly implemented. It is that implementation process that is the trick. We find that if an organization was not doing a good job of log management and review before implementing the SIEM solution, the SIEM solution does not usually improve their log review and management processes. In order for any SIEM solution to be effective, an organization typically needs to start over on their log management and review processes so that they get the right processes put in place and the culture is focused on log management and review. However, what you will find is that open source solutions come with less functions/features out of the box. It is not that those capabilities cannot be added, but it is up to you and other users to come up with those features/functions by developing your own queries, scripts, reports, etc.
↧