Log Retention for Incident Response: What to Keep and for How Long

September 19, 2024

When an incident occurs and forensic investigation begins, one question comes up faster than almost any other: where are the logs? The answer, in a large proportion of the engagements we respond to, is some version of "we have some of them." The rest were rotated out under default retention settings that nobody reviewed, or were never collected from a source that turned out to be critical to the investigation.

Log retention is one of those security controls that feels administrative until it matters, and then it matters enormously. The evidence needed to answer fundamental questions about a breach, including how the attacker got in, what systems they accessed, what data they exfiltrated, and how long they were present, is almost entirely dependent on having the right logs retained for long enough. Getting this right requires deliberate decisions about which sources to collect, how long to keep them, and where to store them.

Which Log Sources Matter Most for Incident Response

Not all logs contribute equally to incident investigations. The sources that most frequently determine the outcome of a forensic investigation are authentication and identity logs, endpoint detection and activity logs, network flow logs, email gateway logs, and cloud platform audit logs. Each of these answers different investigation questions, and losing any of them creates specific blind spots.

Authentication logs show who logged in, from where, at what time, and whether the attempt succeeded or failed. These are foundational for investigating account compromise and lateral movement. Endpoint logs, including process execution history and file access events, answer questions about what ran on a system and what files were touched. Network flow logs allow investigators to establish communication patterns, identify command-and-control traffic, and scope data exfiltration. Email logs are critical in phishing-origin investigations. Cloud audit logs are the primary evidence source for any incident involving cloud-hosted infrastructure or services.

Recommended Retention Periods by Source

Retention requirements vary by source based on how those logs are used in investigations and how long after compromise detection typically occurs. In our experience, the gap between initial compromise and detection in Australian organisations is frequently measured in weeks, not days. Retention that is too short to cover that gap eliminates evidence before the investigation starts.

The following retention periods represent a practical baseline:

  • Authentication and identity logs: 12 months minimum, 24 months preferred
  • Endpoint detection and activity logs: 90 days minimum, 6 months preferred
  • Network flow logs: 90 days minimum; 6 months for critical segments
  • Firewall and proxy logs: 90 days minimum
  • Email gateway logs including message metadata and delivery records: 12 months
  • Cloud platform audit logs: 12 months minimum, longer for regulated environments
  • DNS query logs: 90 days minimum
  • Application and web server access logs: 90 days minimum

Regulatory requirements may impose different minimums. Organisations subject to the Australian Privacy Act, the Prudential Standard CPS 234, or health sector obligations should confirm that their retention settings satisfy those requirements before setting general policy.

Centralisation and Integrity

Retention periods are only useful if logs are actually preserved and can be searched efficiently during an incident. Logs held only on the originating system create two problems: if that system is compromised, the logs may be tampered with or destroyed; and during an investigation, retrieving logs from dozens of separate systems is slow and error-prone. Centralised log collection into a security information and event management platform, or at minimum into a secured log repository, addresses both problems.

Log integrity is a separate consideration. Logs that can be modified by an attacker who has gained administrative access to the logging system are not reliable forensic evidence. Forwarding logs to an immutable or write-once store, and doing so in near real-time rather than in batches, significantly improves their forensic value. We have encountered investigations where the originating system logs had been cleared but the forwarded copy in a central repository remained intact. That copy was the entire evidentiary basis for the investigation.

Operationalising Your Log Retention Strategy

A log retention policy that exists only as a document is not a log retention strategy. Making it operational requires confirming that all relevant sources are actually forwarding to the central repository, that retention settings in the repository match policy, and that the storage capacity exists to support those settings without truncation. These should be verified periodically, not assumed.

In environments where storage cost is a constraint, tiered retention offers a practical compromise: keep high-fidelity logs for 90 days in hot storage for rapid access, then archive to lower-cost storage for the remainder of the retention period. Modern log platforms support this natively. The cost of extended retention in tiered storage is modest compared to the cost of an investigation constrained by missing evidence.

Cyberlinx helps organisations design and implement log retention frameworks that meet both regulatory and forensic investigation requirements. To discuss your current logging posture, contact us at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
DFIR
Written by
Shahbaz Rasheed
Managing Director
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?