Creating a Log Retention Policy

Doug Hardie bc979 at lafn.org
Tue Aug 23 06:14:06 GMT 2005 

On Aug 22, 2005, at 22:53, Freddie Cash wrote:

> Last year I attended a session at USENIX on system logging in which
> the instructor (Marcus Ranum) discussed the importance of having a
> clearly defined (and enforced) log retention policy.  From what I
> remember of this portion of the lecture (the slides and my notes are
> lacking in details) he stressed that this policy would help
> significantly in the case of litigation, but it obviously would also
> give a solid policy for defining expectations and maintaining
> consistency between servers.
>
> A year later (*cough, cough*) I've started to compile ideas for this
> policy, but am having a bit of trouble finding good guidelines to
> follow.
>
> I was wondering if others currently had a clearly defined log
> retention policy for their organization and, if so, how they went
> about creating it?

I have one.  The way I established it was to identify all the log  
files that might contain information of interest.  Then for each I  
determined, based on previous usage, how long I needed to have them  
immediately available on-line.  That determined the settings in  
newsyslog.  We do backups to DVD (and off-site) weekly so some of the  
logs are retained a bit longer than necessary to be sure they get on  
at least 2 different DVDs.

The determination of how long to retain the DVDs was more  
administrative than technical or usage based.  We keep two full  
calendar years of old DVDs plus the current years.  Anything older  
gets destroyed.

Long term storage is on DVD.  The current year is kept off-site.  The  
2 previous years are on-site.  We keep 2 additional off-site copies  
of the current info (whatever is necessary to rebuild from a total  
site loss).  Thats generally quite a bit more than the log files, but  
they are part of it.

Once it was all defined, I just wrote it down.  Its a small document  
that has only existed to be able to say we have it.  No one ever  
reads it and there has never been a need to have it.  But it could  
happen.

More information about the freebsd-isp mailing list