Security logs are a great source of information for incident response, forensics, and compliance purposes. However, log retention policies vary widely among organizations. Some keep logs indefinitely; others only retain them for a certain period of time. Logging practices can impact how much useful information is available after a compromise has occurred.
In general, the longer logs are retained, the better. But, there are several factors to consider when determining how long to keep logs. These include:
• What type of system is being monitored?
• Is the system mission-critical?
• Are there any legal requirements regarding retention of logs?
• Does the company have a policy regarding retention of logs? If so, does it match industry standards?
• How often do incidents occur?
• How many employees are affected by each incident?
• How many incidents are reported?
• How many hours per day are logs collected?
• How many days per week are logs collected?
It is important to understand the business needs before deciding on a retention policy. For example, if a company has a policy of retaining logs for 90 days, then it is reasonable to assume that 90 days is sufficient for the majority of situations. However, if a company has no retention policy, then it is possible that the logs could be lost forever.
Logs are one of the most valuable sources of information during an investigation. It is important to ensure that the right people have access to the logs and that they are stored securely. In addition, it is important to know how long logs need to be kept.
MicroSolved provides a number of services related to logging and monitoring. We can help you create logging policies and practices, as well as design log monitoring solutions. Drop us a line at firstname.lastname@example.org if you’d like to discuss logging and logging solutions.