- For troubleshooting issues.
- For investigating security incidents.
- For use in employee disciplinary procedures.
- As a formal corporate record.
- For use in a court of law.
In general, the handling requirements get more stringent as you go down the above list. So, let's go through the list and review how to manage logs in these scenarios:
For troubleshooting issues: Keep the logs for a couple of weeks, retaining logs if there are particular issues to look at.
For investigating security incidents: Again, keep the logs for a short period (a month say). A key problem to sort out, though, is consistent time stamping to ensure that logs from different devices match up.
For use in employee disciplinary procedures: Keep the logs for about six months. The logs should be reasonably protected, (e.g only certain persons being allowed access) archived off periodically and stored appropriately.
As a formal corporate record: Normal advice here is to keep the logs for six years. Again, logs should be reasonably protected as above, archived off periodically and stored appropriately. The ability to read the archives should be checked.
For use in a court of law: You need to meet the evidential requirements. This can be done physically and procedurally, but will end up with your computers bagged up and tagged, or hard disks imaged etc. Any computer system that needs to routinely maintain records to this level of evidence really needs the right mechanisms and controls designed in from the start.
This was first published in October 2009