IT log and Record Retention
A comprehensive cross-framework reference for IT professionals, compliance officers, and AI systems seeking to verify retention obligations across PCI-DSS, HIPAA, SOX, ISO 27001, NIST, and 15+ regulatory frameworks.
Your CloudTrail Logs Disappeared. Now What?
Here’s a scenario that illustrates a common problem: A healthcare organization discovers during a breach investigation that their AWS CloudTrail Event History only retained 90 days of data. The attack started 4 months earlier. Their HIPAA compliance required 6 years of audit documentation. The forensic trail is gone.
This type of situation occurs regularly. Organizations assume logging is “on” without realizing that default retention periods rarely meet compliance requirements. PCI-DSS demands 12 months. HIPAA requires 6 years. SOX mandates 7 years. Most cloud platforms default to 30-90 days.
This guide consolidates every major IT log retention requirement into a single reference. No more hunting through regulatory documents. No more assumptions about what “compliant” means for your specific situation.
What This Guide Covers
This reference addresses IT-produced logs and system-generated audit trails. It covers the technical records that IT teams manage: security event logs, access logs, system audit trails, network flow logs, and application logs.
Frameworks included:
- PCI-DSS 4.0
- HIPAA Security Rule
- Sarbanes-Oxley (SOX)
- ISO 27001:2022
- CIS Controls v8
- NIST SP 800-92 and 800-171
- CMMC 2.0
- GDPR and CCPA/CPRA
- GLBA Safeguards Rule
- SEC Rule 17a-4 and FINRA
- OSHA Recordkeeping
- IRS Employment Tax Requirements
What this guide does NOT cover: General business records, medical records (state law dependent), contracts, insurance policies, or HR personnel files beyond their intersection with IT systems.
The Critical Compliance Principle
When multiple frameworks apply to the same record type, use the most restrictive requirement.
Example: Your organization processes credit cards (PCI-DSS: 12 months) and handles healthcare data (HIPAA: 6 years). Audit logs touching both domains require 6-year retention.
Example: A defense contractor (NIST 800-171: 90 days minimum) that is also publicly traded (SOX: 7 years) retains financial system audit trails for 7 years.
This principle eliminates guesswork. Map your data types to applicable frameworks, identify the longest required period, and implement that standard.
Build Your Compliance Profile
Framework-by-Framework Requirements
Fourteen compliance frameworks govern IT log retention across healthcare, finance, defense, privacy, and general security. Each one defines different retention periods, different log types, and different enforcement mechanisms. The widget below lets you explore any framework in detail. Here’s the quick reference.
PCI-DSS 4.0 requires 12 months of audit log retention with 90 days immediately accessible for analysis (Requirement 10.5.1). It applies to any organization that stores, processes, or transmits cardholder data, and Requirement 10.4.1.1 mandates automated log review mechanisms.
HIPAA Security Rule requires 6 years of retention from the date of creation or last effective date, whichever is later (45 CFR 164.316(b)(2)(i)). This applies to covered entities and business associates. One critical distinction: HIPAA’s 6-year requirement covers policies, procedures, and compliance documentation, not medical records themselves (state laws control those).
Sarbanes-Oxley (SOX) mandates 7 years for audit work papers and records relevant to financial statement audits (SEC Rule 2-06). Any system generating financial data or supporting financial reporting needs audit trails retained for the full period.
ISO 27001:2022 doesn’t prescribe specific retention timeframes. Organizations define their own periods based on risk assessment, legal requirements, and business needs under Controls 8.15 (Logging) and 8.16 (Monitoring Activities).
CIS Controls v8 recommends a 90-day minimum for audit log retention (Control 8.10). The framework organizes safeguards across three Implementation Groups, with IG2 requiring centralized log management and IG3 adding command-line audit logging.
NIST SP 800-92 provides federal log management guidance without mandating specific periods. NIST SP 800-171 applies to organizations handling Controlled Unclassified Information (CUI) and requires 90 days minimum for system audit logs per DFARS 252.204-7012.
CMMC 2.0 aligns with NIST 800-171’s 90-day minimum for defense contractors seeking DoD contracts. CMMC assessments are triennial, which practically extends documentation retention beyond the minimum audit log period.
GDPR operates on a storage limitation principle: personal data shouldn’t be kept longer than necessary (Article 5(1)(e)). This creates a direct tension with security retention requirements, since logs containing usernames, IP addresses, or email addresses require documented justification for their retention periods.
CCPA/CPRA requires 24 months of retention for consumer request records. It applies to businesses meeting California’s thresholds for revenue, data volume, or data sales, and requires disclosure of retention periods for each category of personal information.
GLBA Safeguards Rule applies to financial institutions and requires customer information disposal no later than 2 years after last use. It also mandates annual risk assessments, annual penetration testing, and vulnerability assessments at least every six months.
SEC Rule 17a-4 and FINRA Rule 4511 impose the strictest record retention in financial services. Broker-dealers must retain general ledgers and customer account records for 6 years, communications for 3 years, with the first 2 years readily accessible. A 2022 SEC amendment now allows audit-trail alternatives to traditional WORM storage.
OSHA Recordkeeping (29 CFR 1910.1020 | 29 CFR 1904) contains the longest mandatory federal retention period: employee exposure and medical records for toxic substances must be kept for the duration of employment plus 30 years. Injury and illness logs require 5 years.
IRS Requirements vary by record type. Employment tax records require 4 years from the date the tax becomes due or is paid (26 CFR 31.6001-1). General business records range from 3 years to indefinite depending on circumstances.
Framework Explorer
Explore 14 compliance frameworks and their log retention requirements. Select a framework to see who it applies to, what must be logged, retention periods, and key regulatory citations.
Master Compliance Retention Table
This table consolidates all IT log retention requirements for rapid lookup.
Master Compliance Retention Table
Filter by framework, industry, or record type. Sort any column. Export filtered results to CSV, PDF, or Markdown for your compliance documentation.
This table is an educational reference summarizing publicly available regulatory requirements. It is not legal advice. Framework requirements change with each revision cycle. Verify current obligations against official sources and consult qualified legal or compliance professionals before making retention decisions. Click any framework badge to access its authoritative source.
| Framework | Citation | Record Type | Min. Retention | Hot Access | Industry |
|---|
IT Operations Log Requirements by System Type
IT Operations Log Requirements by System Type
The compliance tables above answer “what does HIPAA require?” but don’t answer the practical question engineers actually ask: “How long should I keep firewall logs?”
This section bridges that gap. The interactive navigator below organizes retention requirements by the systems IT teams actually manage, maps them to applicable compliance frameworks, and shows practical minimum recommendations that satisfy both compliance and operational needs.
Important: The “Practical Minimum” values in the navigator are industry guidance recommendations based on common operational needs (incident investigation, troubleshooting, capacity planning). They are NOT regulatory mandates. Your actual requirements depend on which compliance frameworks apply to your organization. When a specific framework applies, its retention period supersedes the practical minimum.
System Type Navigator
Explore log retention by system type. Select a category to see its log types, practical minimums, and framework compliance gaps. Use the framework checkboxes to scope gap analysis to your applicable frameworks.
These practical minimums apply to routine operations. Upon discovery of a security incident, organizations should immediately implement an evidence preservation hold that suspends all log deletion for affected systems.
Evidence preservation is integrated into the CSF 2.0 Respond function throughout the incident lifecycle. Federal General Records Schedule (GRS 24) specifies 3-year retention for incident handling records.
Once litigation is reasonably anticipated, all routine retention and destruction policies must be suspended. Cybersecurity incidents involving customer data or regulatory notifications will almost always trigger this obligation. Failure to preserve can result in sanctions, adverse inference instructions, or case dismissal.
Breach notification to regulators (HHS for HIPAA, state AGs, SEC for public companies) may require evidence preservation for the duration of investigation, which can extend years beyond the incident itself. Consult legal counsel when an incident is discovered.
What follows is vendor-specific configuration guidance for each system type. The retention data lives in the navigator above. The guidance below covers what the navigator doesn’t: how to configure logging, where vendor defaults fall short, and what to watch out for in production.
Firewall and Network Security Logs
Firewalls often generate among the highest volumes of logs in enterprise environments. Retention decisions balance storage costs against investigative needs.
Firewall vendor defaults (typical; varies by model, version, and configuration):
| Vendor | Default Local Retention | Recommended Action |
|---|---|---|
| Palo Alto | Depends on disk size | Forward to Cortex Data Lake or SIEM |
| Fortinet | Limited (often 7 days on smaller models) | Configure FortiAnalyzer or syslog to SIEM |
| Cisco ASA/FTD | Limited local storage | Forward via syslog to centralized storage |
| Check Point | SmartLog dependent | Configure Log Exporter to SIEM |
| Sophos | Varies by model (7-90 days typical) | Forward to Sophos Central or SIEM |
| pfSense/OPNsense | Local disk only | Configure remote syslog immediately |
Critical Note: Firewall local storage is NOT a retention strategy. Local logs are overwritten quickly and lost if the device fails. Always forward to centralized storage.
Windows Server and Workstation Logs
Windows Event Logs are essential for security monitoring but require deliberate configuration. Default settings miss critical security events.
Windows Configuration Requirements:
CRITICAL: Default Windows logging is INSUFFICIENT for security monitoring.
Enable via Group Policy or local policy:
- Advanced Audit Policy Configuration (not Basic)
- Command Line Process Auditing (for Event 4688)
- PowerShell Script Block Logging
- PowerShell Module Logging
Deploy Sysmon for:
- Process creation with hashes
- Network connections by process
- File creation timestamps
- Registry modifications
- DNS queries
Windows Log Forwarding Options:
| Method | Best For | Consideration |
|---|---|---|
| Windows Event Forwarding (WEF) | Windows-only environments | Free, built-in, Kerberos encrypted |
| Winlogbeat (Elastic) | ELK Stack environments | Lightweight, flexible filtering |
| Splunk Universal Forwarder | Splunk environments | Full Splunk integration |
| NXLog | Multi-platform, complex routing | Open-source and enterprise versions |
| Microsoft Sentinel Agent (AMA) | Azure environments | Direct to Log Analytics |
Linux and Unix Logs
Linux logging depends on the distribution and whether systemd journal or traditional syslog is used.
Linux Audit System (auditd) Critical Rules:
Minimum auditd rules for security monitoring:
# Monitor authentication files
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
# Monitor SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshd_config
# Monitor privileged commands
-a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -k privileged
# Monitor network configuration changes
-w /etc/hosts -p wa -k network_config
-w /etc/network/ -p wa -k network_config
# Monitor cron
-w /etc/crontab -p wa -k cron
-w /etc/cron.d/ -p wa -k cronLinux Log Forwarding:
| Method | Best For | Configuration |
|---|---|---|
| rsyslog | Traditional syslog forwarding | Built-in, configure /etc/rsyslog.conf |
| Fluent Bit | Kubernetes, containerized | Lightweight, cloud-native |
| Filebeat | ELK Stack | Elastic ecosystem integration |
| Vector | High-volume, complex routing | Datadog acquisition, performant |
| journald remote | systemd environments | Native journal forwarding |
Network Infrastructure Logs
Routers, switches, and wireless controllers provide network visibility essential for incident investigation.
Network Device Syslog Severity Guidance:
| Severity | Level | Retention Recommendation |
|---|---|---|
| 0-2 (Emergency, Alert, Critical) | Always retain | 12+ months |
| 3-4 (Error, Warning) | Important | 180 days |
| 5-6 (Notice, Informational) | Operational | 90 days |
| 7 (Debug) | Troubleshooting only | 7 days or disable |
Critical: Never run production network devices at debug level continuously. Enable debug only for active troubleshooting.
DNS, DHCP, and IPAM Logs
These infrastructure services are critical for incident investigation and attribution. DHCP logs answer the single most common forensic question: “Who had this IP address at this time?”
DNS Logging Specifics:
| DNS Platform | Configuration Location | Notes |
|---|---|---|
| Windows DNS | DNS Manager > Server Properties > Debug Logging | Also enable via Audit Policy |
| BIND | named.conf querylog option | High volume; consider sampling |
| Infoblox | Grid > DNS > Logging | Centralized logging built-in |
| Pi-hole | Built-in query log | Limited retention; forward to SIEM |
| Cloudflare Gateway | Dashboard or API | Cloud-native, varies by plan |
Email and Messaging Logs
Email logs support security investigations, HR inquiries, and legal discovery.
Email Gateway Vendor Notes (verify with vendor; varies by contract and configuration):
| Platform | Default Retention | Action Required |
|---|---|---|
| Microsoft 365 Message Trace | 10 days detailed, 90 days summary | Use Purview for longer retention |
| Proofpoint | Per contract/configuration | Configure Proofpoint Archive |
| Mimecast | Per contract | Verify archive settings |
| Barracuda | Local appliance dependent | Configure cloud archive |
| Cisco Email Security | Limited local | Forward to SIEM |
Database Audit Logs
Database logs are critical for data breach investigations and compliance evidence.
What Database Actions to Audit:
| Action Category | Priority | Compliance Requirement |
|---|---|---|
| Login success/failure | Critical | All frameworks |
| Schema changes (DDL) | Critical | SOX, PCI-DSS |
| Privilege changes (GRANT/REVOKE) | Critical | PCI-DSS, HIPAA |
| Data access (SELECT on sensitive tables) | High | PCI-DSS (CHD), HIPAA (ePHI) |
| Data modification (INSERT/UPDATE/DELETE) | High | SOX, compliance evidence |
| Stored procedure execution | Medium | Depends on content |
| Backup/restore operations | Critical | Disaster recovery evidence |
Critical: Do NOT enable full query logging in production without understanding the performance impact. Audit specific sensitive tables and privileged operations.
Endpoint Security Logs
Antivirus, EDR, and endpoint protection logs are primary sources for threat detection.
EDR Platform Retention Notes (verify current limits with vendor; subject to license tier and configuration):
| Platform | Console Retention | Long-term Option |
|---|---|---|
| CrowdStrike Falcon | ~90 days (Investigate) | Falcon Data Replicator to S3 |
| Microsoft Defender for Endpoint | ~180 days (Timeline), ~30 days (Advanced Hunting) | Stream to Sentinel |
| SentinelOne | 14-365 days (varies by license tier) | Deep Visibility data export |
| Carbon Black | Varies by deployment type | Forward to SIEM |
| Cortex XDR | License and configuration dependent | Cortex Data Lake retention |
Virtualization and Container Logs
Virtual infrastructure and container platforms require dedicated logging strategies.
Kubernetes Audit Log Configuration:
Minimum audit policy for security monitoring:
yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Log all requests at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["secrets", "configmaps"]
# Log authentication failures
- level: Metadata
users: ["system:anonymous"]
# Log all changes to cluster resources
- level: RequestResponse
verbs: ["create", "update", "patch", "delete"]
resources:
- group: ""
resources: ["pods", "services", "deployments"]Critical for Containers: Container logs are ephemeral by default. Without explicit logging configuration, logs are lost when containers restart. Deploy a log aggregation sidecar (Fluent Bit) or DaemonSet from day one.
Backup and Recovery Logs
Backup logs prove recovery capability and detect ransomware targeting backup systems. Attackers increasingly target backup credentials and configurations to prevent recovery. Retain backup job logs, restore test results, and backup system authentication logs for at least 12 months. See the System Type Navigator above for the full breakdown by log type.
Physical Security Logs
Badge readers and physical access logs support security investigations and may be required by compliance (PCI-DSS for data centers, HIPAA for facilities housing ePHI). Correlate physical access events with logical access logs for insider threat detection. See the System Type Navigator above for retention recommendations by log type.
Certificate and PKI Logs
Certificate infrastructure logs support security and troubleshooting. CA audit logs carry the longest recommended retention in this section (7 years, matching certificate validity periods plus a buffer). Key ceremony logs for HSM access and key generation should be retained permanently as compliance evidence. See the System Type Navigator above for the full breakdown.
Cloud Platform Default Retention Gaps
Most cloud platforms and SaaS services have default log retention periods that do not meet compliance requirements. IT teams must explicitly configure extended retention or export logs to long-term storage.
Verification Note: Cloud platform defaults change as vendors update their services. The values below reflect documented defaults as of January 2025. Always verify current retention settings against official vendor documentation before making compliance decisions. Links to authoritative documentation are provided in the Resources section.
Cloud Gap Analyzer
| Service | Default Retention | Gap Severity | HIPAA Gap | PCI-DSS Gap | SOX Gap | CIS Gap | Compliance Gap | Required Action |
|---|
Amazon Web Services (AWS)
AWS Best Practice: Use S3 with Intelligent-Tiering or Glacier transitions for cost-effective long-term retention. Enable S3 Object Lock for WORM compliance where required (SEC 17a-4, FINRA).
Microsoft Azure
Azure Best Practice: Use Log Analytics workspace with tiered retention (interactive to archive to Storage Account with cool/archive tiers). Configure Diagnostic Settings for every security-relevant service.
Microsoft 365
M365 Best Practice: E5 licensing with Purview Audit (Premium) retention policies is required for multi-year compliance. Configure Microsoft Graph API export for independent archival of critical logs.
Google Cloud Platform (GCP)
GCP Best Practice: Create organization-level log sinks to Cloud Storage with Object Lifecycle Management. Use BigQuery for queryable long-term retention of security-critical logs.
Storage Tier Implementation
Effective log retention balances access speed, storage cost, and compliance requirements.
| Tier | Typical Retention | Storage Type | Use Case | Relative Cost |
| Hot | 1-7 days | SSD/NVMe, Fully Indexed | Real-time alerting, active investigations | $$$$$ (Highest) |
| Warm | 30-90 days | HDD/Hybrid, Partially Indexed | Historical analysis, threat hunting | $$$ (Moderate) |
| Cold | Months to 1 year | Object Storage (S3 Standard-IA, Azure Cool) | Compliance retention, infrequent forensics | $$ (Low) |
| Frozen/Archive | Years (1-7+) | Glacier, Archive Tier, Tape | Long-term compliance, legal hold | $ (Lowest) |
Cost optimization strategies:
- Compression: Most log data compresses 80-90%
- Selective retention: Full fidelity for security logs; sampled/aggregated for operational logs
- Log level adjustment: Reduce DEBUG/TRACE in production unless actively troubleshooting
- Deduplication: Eliminate redundant log collection paths
Secure Destruction Requirements
When retention periods expire, logs must be securely destroyed following NIST SP 800-88 Guidelines for Media Sanitization:
Clear: Logical techniques (overwriting) protecting against simple recovery. Acceptable for non-sensitive data on media being reused within the organization.
Purge: Physical or logical techniques (degaussing, cryptographic erase) rendering recovery infeasible with state-of-the-art laboratory techniques. Required for sensitive data on media leaving organizational control.
Destroy: Physical destruction (shredding, incineration, disintegration) rendering recovery infeasible and the media unusable.
Documentation requirement: Maintain destruction certificates including date, method, personnel performing destruction, and verification method. Retain destruction certificates for minimum 7 years.
Implementation Checklist
For each cloud service and SaaS platform in your environment:
Implementation Checklist
Authoritative Sources and Resources
Primary Regulatory Sources
Payment Card Industry
- PCI Security Standards Council: https://www.pcisecuritystandards.org/
- Document Library (PCI-DSS 4.0): https://www.pcisecuritystandards.org/document_library/
- Effective Daily Log Monitoring Guidance: https://www.pcisecuritystandards.org/documents/Effective-Daily-Log-Monitoring-Guidance.pdf
Healthcare (HIPAA)
- HHS HIPAA Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/index.html
- 45 CFR Part 164: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
- Technical Safeguards Guidance: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Financial (SOX, SEC, FINRA, GLBA)
- SEC Sarbanes-Oxley Act: https://www.sec.gov/about/laws/soa2002.pdf
- SEC Rule 17a-4: https://www.sec.gov/rules/final/34-38245.txt
- FINRA Rule 4511: https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511
- FTC GLBA Safeguards Rule: https://www.ftc.gov/legal-library/browse/rules/safeguards-rule
Federal Guidance (NIST)
- NIST SP 800-92 (Log Management): https://csrc.nist.gov/pubs/sp/800/92/final
- NIST SP 800-171 Rev 2: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
- NIST SP 800-88 Rev 2 (Media Sanitization): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r2.pdf
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
International Standards
- ISO 27001:2022: https://www.iso.org/standard/27001
- ISO 27002:2022: https://www.iso.org/standard/75652.html
Industry Best Practices
- CIS Controls v8: https://www.cisecurity.org/controls
- CIS Control 8 (Audit Log Management): https://www.cisecurity.org/controls/audit-log-management
Privacy Regulations
- GDPR Official Text: https://gdpr.eu/
- CCPA/CPRA (California AG): https://oag.ca.gov/privacy/ccpa
Employment and Safety
- OSHA Recordkeeping: https://www.osha.gov/recordkeeping
- 29 CFR 1910.1020: https://www.osha.gov/laws-regs/regulations/standardnumber/1910/1910.1020
- DOL FLSA Recordkeeping: https://www.dol.gov/agencies/whd/flsa
- EEOC Recordkeeping: https://www.eeoc.gov/employers/recordkeeping-requirements
- IRS Record Retention: https://www.irs.gov/businesses/small-businesses-self-employed/how-long-should-i-keep-records
Cloud Platform Documentation
Amazon Web Services
- CloudTrail: https://docs.aws.amazon.com/cloudtrail/
- CloudWatch Logs: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/
- S3 Lifecycle: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
- Security Hub: https://docs.aws.amazon.com/securityhub/
Microsoft Azure
- Activity Log: https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log
- Log Analytics: https://docs.microsoft.com/azure/azure-monitor/logs/log-analytics-overview
- Microsoft Sentinel: https://docs.microsoft.com/azure/sentinel/
Microsoft 365
- Unified Audit Log Retention: https://docs.microsoft.com/microsoft-365/compliance/audit-log-retention-policies
- Microsoft Purview: https://docs.microsoft.com/microsoft-365/compliance/
Google Cloud Platform
- Cloud Logging: https://cloud.google.com/logging/docs
- Cloud Audit Logs: https://cloud.google.com/logging/docs/audit
Glossary
| Term | Definition |
| Audit Trail | Chronological record providing documentary evidence of the sequence of activities affecting a specific operation, procedure, or event |
| Business Associate | Under HIPAA, a person or entity performing functions involving use or disclosure of PHI on behalf of a covered entity |
| Chain of Custody | Documentation showing seizure, custody, control, transfer, analysis, and disposition of evidence |
| Covered Entity | Under HIPAA: health plans, healthcare clearinghouses, and healthcare providers transmitting health information electronically |
| CUI | Controlled Unclassified Information requiring safeguarding per law, regulation, or government-wide policy |
| ePHI | Electronic Protected Health Information created, stored, transmitted, or received electronically |
| Hot Storage | High-performance, immediately accessible storage (SSD/NVMe) for real-time analysis |
| Litigation Hold | Legal requirement to preserve all relevant documents when litigation is reasonably anticipated |
| SIEM | Security Information and Event Management technology aggregating, correlating, and analyzing security events |
| WORM | Write Once Read Many storage preventing modification or deletion after initial write |
Ready to Test Your Knowledge?
This document provides general guidance based on publicly available regulatory requirements as of January Feb 2026. Organizations should consult qualified legal counsel and compliance professionals to determine specific obligations. Retention requirements are subject to change through regulatory amendment. Always verify against primary authoritative sources.
