Retaining Logs – Legal and Policy Requirements

In most countries, there are legal and policy requirements about log retention. To comply with the leading audit standards like Sarbanes-Oxley, ISO-9000 and VISA CISP, then a corporate policy is a a necessity. One important requirement of this policy is the subject of critical system log archive retention, how these logs are stored and retained. Depending on which standard you need to compliance with will determine how things like event and SQL logs need to stored and for how long.

High Speed VPN

To meet these requirements, a corporate policy covering log file archiving and retention is essential. Many companies are adapting existing Syslog servers and storing the data on these for whatever duration is specified. Whilst others will copy the files over onto centralized file servers or share. The other main option is to move the logs on to some sort of backup disk or tape system for long term storage. This option often is useful in that it can be incorporated into a disaster recovery procedure or policy by moving the data off-site.

Whichever system is used, the base concept is centralizing logs from various systems into a single storage system. One advantage of this is that it moves the responsibility of the logs and the data they contain from the individual system owners onto a centralized system. This is much easier to manage and control, all the files can be controlled under a central policy rather than individual application requirements which often differ.

There are other benefits to the centralized storage model besides making policies easier. A practical advantage is that you have a single point to analyse for information from all a companies systems. You can use analytical tools to parse and filter information from all the logs at once.
For example using Microsoft’s free tool – Log Parser you could gather all the system start up events from all the systems in the environment.

There is another important reason that audit standards enforce the retention of system logs and that is for non-repudiation. This means that you can use the logs for proof that a transaction or process happened and cannot be reputed later. A simple example of this is the signing and transmitting of a digital message. If the message is signed then the recipient cannot deny receiving the message later, logs can be used to demonstrate this too.