How to manage logs

Neil O'Connor reviews when you should be hanging on to your network logs.

How do logs need to be handled? Do I need to retain them? Do I need to be able to prove their integrity? Do you have any advice for the best way to go about it?
With the handling of logs, it is important to understand why you are keeping them. Some examples might be:

  1. For troubleshooting issues.
  2. For investigating security incidents.
  3. For use in employee disciplinary procedures.
  4. As a formal corporate record.
  5. For use in a court of law.

In general, the handling requirements get more stringent as you go down the above list. So, let's go through the list and review how to manage logs in these scenarios:

For troubleshooting issues: Keep the logs for a couple of weeks, retaining logs if there are particular issues to look at.

For investigating security incidents: Again, keep the logs for a short period (a month say). A key problem to sort out, though, is consistent time stamping to ensure that logs from different devices match up.

For use in employee disciplinary procedures: Keep the logs for about six months. The logs should be reasonably protected, (e.g only certain persons being allowed access) archived off periodically and stored appropriately.

As a formal corporate record: Normal advice here is to keep the logs for six years. Again, logs should be reasonably protected as above, archived off periodically and stored appropriately. The ability to read the archives should be checked.

For use in a court of law: You need to meet the evidential requirements. This can be done physically and procedurally, but will end up with your computers bagged up and tagged, or hard disks imaged etc. Any computer system that needs to routinely maintain records to this level of evidence really needs the right mechanisms and controls designed in from the start.

On top of all that, if your logs contain personal information, you'll need to consider both Data Protection Act issues and European Human Rights Act privacy requirements.

Read more on Regulatory compliance and standard requirements