Log Retention & Storage Requirements Best Practices
Background
Most network capable technology has the ability to generate logs of activity, sometimes referred to as ‘system logs (syslog)’ or ‘logfiles.’ These logs may be used for a variety of purposes, including troubleshooting technology problems, detecting unauthorized access or usage, fulfilling audit or other compliance requirements, etc. The logs may be created by an operating system, an application, a service, a networking device, or other technology.
Log Types
Operating systems, applications and other technology may generate many types of logs. The following are some common types of operating system logs.
Authentication/Access logs contain a record of attempts to login to a system. Log entries typically contain the username of the account and whether the login was successful or failed.
Connection logs contain information for traffic captured by the firewall and routing and switching devices.
System logs contain information related to events that occur while an operating system is running. Log entries may contain information about system startup and shutdown, changes to system hardware, updates to system software, and suspected malware detected on the machine, etc.
Service logs contain information related to systems that provide a basic service to other technology, or that monitor a specific type of information collected from other systems. Examples of service logs include UPS service availability via SNMP logging and Edge routing service availability
Security Event and Incident Management (SEIM)
The KCTCS Information Security Team maintains the use of Elastic SIEM to analyze and respond to security events and incidents. All enterprise network devices current and new should be set to receive logs and configured to forward to the SEIM for analysis. In addition, software that provides access to KCTCS resources that requires KCTCS authentication should forward access logs to the SIEM for further analysis.
Storage Requirements:
Data is to be encrypted at rest as well as obfuscated before log retrieval is made possible to ensure the standard level of security has been met.
Log Type Classification
Log Type |
Minimum Retention |
Maximum Retention |
Forward to SEIM? |
Authentication/Access (Cisco device(s), Enterprise Application logs) |
none |
90 days |
Yes |
Connection (Firewall logs, Wireless logs, etc) |
14 days |
Firewall = 30 Wireless=90 |
Yes |
System (Fleet agent logs (includes Windows authentication logs), defender/CAS logs, etc) |
14 |
Fleet: 30 defender/CAS: indefinite |
Yes |
Service (SNMP Logging (UPS), Edge Routing) |
none |
90 |
Yes |
Last updated: 5/25/2022