Options
Firewall logging
Hey guys, having a discussion at work and wanted to get feedback from others out there.
How long do you keep/archive things like firewall logs? Right now we keep them until they are full and purge them as needed, which usually gives us about 4-6months worth. We are increasing the capacity by quite a bit soon, and recommended we archive a year's worth (there is more than enough room on the logging server now). This was shot down, and the powers that be say there is no need for anything older than a month.
What is the general practice out there? We are not a financial institution, but I am going to go with the idea that it shouldn't matter the industry.
In the case where space is no issue, how long do you keep logs for?
How long do you keep/archive things like firewall logs? Right now we keep them until they are full and purge them as needed, which usually gives us about 4-6months worth. We are increasing the capacity by quite a bit soon, and recommended we archive a year's worth (there is more than enough room on the logging server now). This was shot down, and the powers that be say there is no need for anything older than a month.
What is the general practice out there? We are not a financial institution, but I am going to go with the idea that it shouldn't matter the industry.
In the case where space is no issue, how long do you keep logs for?
Comments
-
Options
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
I'd say a 30 day minimum for raw logs but if you don't already use one then look at also logging to an SIEM with longer retention for correlated possible offenses. E.g. hold intelligently identified higher priority data for up to a year. I think there is a need for longer retention, but be smart about it (and a good SIEM does a lot of that work for you (aswell as being more proactive too0).We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?