Manage

Best practices for log data retention

Figuring out how long to retain log data and how much log data should be kept in the event of incident response can be tricky to navigate. In this information security management expert response, David Mortman gives best practices for log data retention.

David Mortman, Dell

As a best practice, how long should an organization retain log data for the purpose of incidence response? I haven't been able to find any legal requirements. Is six months long enough? Are there are any industry guidelines we should use?

In some sense the correct answer is: Retain as much data as you can easily store and analyze in a reasonable amount of time when you need incident response/forensic analysis.

The reality is, as usual, more complex than that. In December 2006, the U.S. government changed the Federal Rules...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

of Evidence for electronic data, and these rules were picked up by most of the states as well. The most relevant of these changes was that not only do electronic files themselves fall under the scope of discovery, but also any and all meta data, which includes logs.

This means the company must ensure log data is properly maintained under a written document-retention policy and that it's clear which relevant files may correlate with the logs. This is important because during a civil litigation procedure, the organization must know which logs to produce for the lawyers and which logs not to destroy as part of the usual document destruction process.

This is just a long and fancy way to say you should talk to your organization's lawyers and make a decision about how long to retain logs on the basis of their advice.

For more information:

Learn how to estimate log generation rates with this expert advice.
Looking to review system event logs? Check out this tutorial on Splunk.

This was last published in March 2009

Dig Deeper on Data security technology and strategy

Red alerts: Inside Cisco's incident response best practices Incident response is often challenging, but Cisco's Sean Mason offers recommendations for doing IR effectively, from keeping internal logs longer to embracing tabletop exercises.

How do you enable centralized vCenter logging? Centralize vCenter log files with vRealize Log Insight. Configuration with vSphere is simple and enables the centralization and transmission of event and task logs.

How does an effective logging strategy improve data analysis? Logs and log analytics can produce vast amounts of information. Save time and use resources efficiently with an effective logging strategy that prioritizes relevant data.

What security log management best practices should my team follow? Security log management includes deciding what log data to retain and the length of time it should be stored. Expert Michael Cobb explains some challenges and best practices.

How to use the ELK stack log monitoring tool Open source log monitoring tools are a budget-friendly way for organizations to increase network visibility and improve incident response times.

Security Think Tank: Smart log monitoring and analysis key to security success How can log management be used to bolster information security and improve incident response without infringing user privacy?

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Please create a username to comment.

McAfee launches security tool Mvision Cloud for Containers

How to implement zero-trust cloud security

AWS Access Analyzer aims to limit S3 bucket exposures

Consider these 5 FAQs for network monitoring best practices

Cisco's Silicon One networking chip targets cloud data centers

7 factors to consider in network redundancy design

Transforming operations for successful cloud adoption

IT workforce skews younger, says analysis of US data

Top edge computing trends to watch in 2020

How to shut down and restart a remote computer

Setting up Windows 10 kiosk mode with 4 different methods

Microsoft extends Office 365 benefit to nonprofit volunteers

Evaluate general and niche cloud service use cases

Compare niche cloud services to the hyperscale offerings

Get started with Azure tags

IR35 private sector reforms: GSK gives contractors 'quit or go PAYE' ultimatum

Smart speakers gain volume as VoLTE set for 140% growth over next five years

Huawei counted in as Telefónica Deutschland lays out mid-term strategy

Dig Deeper on Data security technology and strategy

Related Q&A from David Mortman

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.