Ask the Expert

Saving raw data from firewall logs

Is there a guideline for how long a company needs to retain the raw data firewall logs to preserve 'chain of custody'?

    Requires Free Membership to View

I have not seen such a guideline. One reason for retaining raw firewall logs is to preserve evidence that might later be used to prosecute a criminal intruder or otherwise to explain to a legal authority what threats a system was exposed to. For a typical enterprise, a two-year retention period would seem reasonable, provided the enterprise is unaware that the logged data might be necessary for any particular prosecution, investigation or dispute. However, I cannot state a hard two-year rule (and I never give specific legal advice in this column), because there could be exceptions. An exception might apply, for example, to an e-commerce financial institution that has a strong need to prove several years after the fact that its system was sound.
For more info on this topic, visit these SearchSecurity resources:
  • Ask the Expert: Examining firewall logs for evidence of intrusion
  • Ask the Expert: The difference between a two-tier and a three-tier firewall

    This was first published in September 2004

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: