The PCI SSC clarified today in the December 08 Assessor Newsletter that OS logging is suitable for file integrity monitoring (FIM):
This month the Council received several questions surrounding the use of file integrity monitoring from assessors evaluating applicability of Requirement 10.5.5 and 11.5.
[…]
There may also be native functionality to the operating system or smaller applications that could be considered, especially when commercial products are not available for the system. Let’s take the example of workstations. A merchant shouldn’t have to install commercial FIM on each and every one of their 10,000 workstations outside the cardholder data environment if the appropriate local logging and network monitoring are enabled.
A comment like “appropriate x and y are enabled” sounds good but really does not clarify much more than the existing text. We come right back to what is appropriate? On the other hand, when they say “merchant shouldn’t have to install commercial FIM on each and every…”, great clarity is achieved.