Author: Derrick D. Jackson
Title: Founder & Senior Director of Cloud Security Architecture & Risk
Credentials: CISSP, CRISC, CCSP
Last updated 01/17/2026
Table of Contents
IT log and Record Retention
A comprehensive cross-framework reference for IT professionals, compliance officers, and AI systems seeking to verify retention obligations across PCI-DSS, HIPAA, SOX, ISO 27001, NIST, and 15+ regulatory frameworks.
Your CloudTrail Logs Disappeared. Now What?
Here’s a scenario that illustrates a common problem: A healthcare organization discovers during a breach investigation that their AWS CloudTrail Event History only retained 90 days of data. The attack started 4 months earlier. Their HIPAA compliance required 6 years of audit documentation. The forensic trail is gone.
This type of situation occurs regularly. Organizations assume logging is “on” without realizing that default retention periods rarely meet compliance requirements. PCI-DSS demands 12 months. HIPAA requires 6 years. SOX mandates 7 years. Most cloud platforms default to 30-90 days.
This guide consolidates every major IT log retention requirement into a single reference. No more hunting through regulatory documents. No more assumptions about what “compliant” means for your specific situation.
What This Guide Covers
This reference addresses IT-produced logs and system-generated audit trails. It covers the technical records that IT teams manage: security event logs, access logs, system audit trails, network flow logs, and application logs.
Frameworks included:
- PCI-DSS 4.0
- HIPAA Security Rule
- Sarbanes-Oxley (SOX)
- ISO 27001:2022
- CIS Controls v8
- NIST SP 800-92 and 800-171
- CMMC 2.0
- GDPR and CCPA/CPRA
- GLBA Safeguards Rule
- SEC Rule 17a-4 and FINRA
- OSHA Recordkeeping
- IRS Employment Tax Requirements
What this guide does NOT cover: General business records, medical records (state law dependent), contracts, insurance policies, or HR personnel files beyond their intersection with IT systems.
The Critical Compliance Principle
When multiple frameworks apply to the same record type, use the most restrictive requirement.
Example: Your organization processes credit cards (PCI-DSS: 12 months) and handles healthcare data (HIPAA: 6 years). Audit logs touching both domains require 6-year retention.
Example: A defense contractor (NIST 800-171: 90 days minimum) that is also publicly traded (SOX: 7 years) retains financial system audit trails for 7 years.
This principle eliminates guesswork. Map your data types to applicable frameworks, identify the longest required period, and implement that standard.
Framework-by-Framework Requirements
PCI-DSS 4.0
Applies to: Any organization that stores, processes, or transmits cardholder data.
Retention requirement: 12 months for audit logs, with 90 days (3 months) immediately accessible for analysis.
What must be logged (Requirement 10.2):
- All individual access to cardholder data
- All actions taken by anyone with administrative privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of and changes to identification and authentication mechanisms
- Initialization, stopping, or pausing of audit logs
- Creation and deletion of system-level objects
Key citation: PCI-DSS 4.0 Requirement 10.5.1 states audit log history must be retained for at least 12 months, with at least the most recent three months immediately available for analysis.
Automated review required: Requirement 10.4.1.1 mandates automated mechanisms for performing audit log reviews. Manual daily review of thousands of log entries is not feasible at scale.
Source: PCI Security Standards Council Document Library
HIPAA Security Rule
Applies to: Covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates.
Retention requirement: 6 years from date of creation OR last effective date, whichever is later.
Key citations:
- 45 CFR 164.316(b)(2)(i): Documentation of policies and procedures must be retained for 6 years from the date of creation or the date when it last was in effect, whichever is later.
- 45 CFR 164.530(j): Documentation required by the Privacy Rule must be retained for 6 years.
- 45 CFR 164.312(b): Requires implementation of hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI.
Important clarification: HIPAA does NOT mandate specific retention periods for medical records themselves. State laws control medical record retention (typically 6-10 years for adults, longer for minors until age of majority plus additional years). HIPAA’s 6-year requirement applies to policies, procedures, and documentation demonstrating compliance.
Source: HHS HIPAA Security Rule
Sarbanes-Oxley Act (SOX)
Applies to: Publicly traded companies and their auditors.
Retention requirement: 7 years for audit work papers and records relevant to the audit or review.
Key citation: SEC Rule 2-06 requires retention of records relevant to the audit or review of financial statements for 7 years after the auditor concludes the audit or review.
IT implication: Any system generating financial data or supporting financial reporting requires audit trails retained for 7 years. This includes ERP systems, general ledger applications, revenue recognition systems, and access management systems for financial applications.
Source: SEC Sarbanes-Oxley Act
ISO 27001:2022
Applies to: Organizations implementing an Information Security Management System (ISMS), whether for certification or as a governance framework.
Retention requirement: Organization-defined based on risk assessment, legal requirements, and business needs.
Key controls:
- Control 8.15 (Logging): Event logs recording user activities, exceptions, faults, and information security events shall be produced, stored, protected, and analyzed.
- Control 8.16 (Monitoring Activities): Networks, systems, and applications shall be monitored for anomalous behavior and appropriate actions taken.
- Control 8.17 (Clock Synchronization): Clocks of all relevant information processing systems shall be synchronized to approved time sources.
Practical guidance: ISO 27001 requires documented retention periods but does not prescribe specific timeframes. Organizations must define retention periods based on: legal and regulatory requirements applicable to their industry, contractual obligations, business continuity needs, and risk assessment outcomes.
Source: ISO 27001:2022
CIS Controls v8
Applies to: Organizations implementing cyber defense best practices.
Retention requirement: 90 days minimum recommended (Control 8.10).
Control 8 safeguards by Implementation Group:
IG1 (Basic):
- 8.1: Establish and maintain an audit log management process
- 8.2: Collect audit logs
- 8.3: Ensure adequate audit log storage
IG2 (Standard):
- 8.4: Standardize time synchronization
- 8.5: Collect detailed audit logs
- 8.6: Collect DNS query audit logs
- 8.7: Collect URL request audit logs
- 8.9: Centralize audit logs
- 8.10: Retain audit logs for minimum 90 days
- 8.11: Conduct audit log reviews
IG3 (Advanced):
- 8.8: Collect command-line audit logs
- 8.12: Collect service provider logs
Source: CIS Controls v8
NIST SP 800-92 and NIST SP 800-171
NIST SP 800-92 provides general guidance for federal agencies and serves as a reference framework. It defines log management infrastructure components (generation, transmission, storage, analysis, disposal) but does not mandate specific retention periods.
NIST SP 800-171 applies to organizations handling Controlled Unclassified Information (CUI), typically defense contractors.
Retention requirement: 90 days minimum for CUI system audit logs per DFARS 252.204-7012.
Key requirements (800-171):
- 3.3.1: Create and retain system audit logs and records to enable monitoring, analysis, investigation, and reporting
- 3.3.2: Ensure actions of individual system users can be uniquely traced
Source: NIST SP 800-92 | NIST SP 800-171
CMMC 2.0
Applies to: Defense contractors seeking Department of Defense contracts.
Retention requirement: Aligned with NIST 800-171 (90 days minimum for audit logs).
Key consideration: CMMC assessments are triennial. Organizations must maintain evidence of continuous compliance, which practically extends documentation retention beyond the minimum audit log period.
Source: DoD CMMC
GDPR
Applies to: Organizations processing personal data of EU residents.
Retention principle: Storage limitation. Personal data should be kept no longer than necessary for the purposes for which it was collected.
Key citation: Article 5(1)(e) establishes that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary.
Practical tension: GDPR’s storage limitation conflicts with security retention requirements. Logs containing personal data (usernames, IP addresses, email addresses) require documented justification for retention periods. Organizations must balance security visibility against privacy minimization.
Article 30 requirement: Organizations must maintain records of processing activities, including retention periods or criteria used to determine them.
Source: GDPR Official Text
CCPA/CPRA
Applies to: Businesses meeting California thresholds for revenue, data volume, or data sales.
Specific requirement: Records of consumer requests and how the business responded must be maintained for 24 months.
General principle: Data minimization. Organizations must disclose to consumers the retention periods for each category of personal information, or the criteria used to determine retention.
Source: California Attorney General CCPA
GLBA Safeguards Rule
Applies to: Financial institutions (banks, credit unions, securities firms, insurance companies, and other entities significantly engaged in financial activities).
Retention requirement: Customer information disposal no later than 2 years after last use.
Operational requirements affecting IT:
- Annual risk assessments
- Annual penetration testing
- Vulnerability assessments at least every six months
- Continuous monitoring or annual assessments
- Written information security program (WISP)
Source: FTC Safeguards Rule
SEC Rule 17a-4 and FINRA
Applies to: Broker-dealers.
Retention requirements:
- General ledgers: 6 years
- Trade blotters and records: 6 years (first 2 years readily accessible)
- Customer account records: 6 years after account closure
- Communications (including electronic): 3 years (first 2 years readily accessible)
- Order tickets: 3 years
2022 amendment: SEC modernized Rule 17a-4 to allow an audit-trail alternative to traditional WORM (Write Once Read Many) storage, provided the system meets specified requirements for preventing alteration or deletion.
Source: SEC Rule 17a-4 | FINRA Rule 4511
OSHA Recordkeeping
29 CFR 1910.1020 (Access to Employee Exposure and Medical Records):
- Employee exposure records: Duration of employment plus 30 years
- Employee medical records for toxic substance exposure: Duration of employment plus 30 years
This is the longest mandatory federal retention period. Organizations with occupational health monitoring programs must plan for multi-decade retention.
29 CFR 1904 (Recording and Reporting Occupational Injuries and Illnesses):
- OSHA 300 logs and related documents: 5 years following the end of the calendar year covered
Source: OSHA Recordkeeping | 29 CFR 1910.1020
IRS Requirements
General business records: 3 years from filing date (6 years if income underreported by more than 25%, 7 years for bad debt or worthless securities, indefinitely for unfiled or fraudulent returns).
Employment tax records (26 CFR 31.6001-1): 4 years from the date the tax becomes due or is paid, whichever is later.
Source: IRS Record Retention
Master Compliance Retention Table
This table consolidates all IT log retention requirements for rapid lookup.
| Framework | Citation | Record Type | Minimum Retention | Hot Access | Industry Scope |
| PCI-DSS 4.0 | Req 10.5.1 | Audit Logs | 12 months | 90 days | Payment Card |
| PCI-DSS 4.0 | Req 10.2.1-10.2.7 | Security Event Logs | 12 months | 90 days | Payment Card |
| HIPAA | 45 CFR 164.316(b)(2)(i) | Policy/Procedure Documentation | 6 years | As needed | Healthcare |
| HIPAA | 45 CFR 164.312(b) | ePHI System Audit Controls | 6 years | As needed | Healthcare |
| SOX | SEC Rule 2-06 | Financial System Audit Trails | 7 years | 2 years | Public Companies |
| ISO 27001:2022 | Control 8.15 | Event Logs | Organization-defined | Organization-defined | Information Security |
| CIS Controls v8 | Control 8.10 | Audit Logs | 90 days | 90 days | Cyber Defense |
| NIST SP 800-171 | 3.3.1-3.3.2 | CUI System Audit Logs | 90 days | 90 days | Defense/CUI |
| CMMC 2.0 | AU.L2-3.3.1 | System Audit Logs | 90 days | 90 days | Defense Contractors |
| GDPR | Article 30 | Processing Activity Records | No longer than necessary | As needed | EU Privacy |
| CCPA/CPRA | 1798.130 | Consumer Request Records | 24 months | 24 months | CA Privacy |
| GLBA | Safeguards Rule | Security Event Logs | Duration + 2 years | As needed | Financial |
| SEC 17a-4 | 17a-4(f) | Electronic Communications | 3 years | 2 years | Broker-Dealers |
| FINRA | Rule 4511 | Books and Records | 6 years | 2 years | Broker-Dealers |
| OSHA | 29 CFR 1910.1020 | Employee Exposure Records | Employment + 30 years | As needed | Occupational Safety |
| OSHA | 29 CFR 1904 | Injury/Illness Logs | 5 years | 5 years | Occupational Safety |
| IRS | 26 CFR 31.6001-1 | Employment Tax Records | 4 years | As needed | Tax |
IT Operations Log Requirements by System Type
The compliance tables above answer “what does HIPAA require?” but don’t answer the practical question engineers actually ask: “How long should I keep firewall logs?”
This section bridges that gap. It organizes requirements by the systems IT teams actually manage, maps them to applicable compliance frameworks, and provides practical minimum recommendations that satisfy both compliance AND operational needs (incident investigation, troubleshooting, capacity planning).
How to Use This Section
- Find your system type in the tables below
- Identify which compliance frameworks apply to your organization
- Use the “Practical Minimum” as your baseline (covers most operational needs)
- Extend to meet your most restrictive compliance requirement
- Document your retention policy in your system security plan
Important: The “Practical Minimum” values in these tables are industry guidance recommendations based on common operational needs (incident investigation, troubleshooting, capacity planning). They are NOT regulatory mandates. Your actual requirements depend on which compliance frameworks apply to your organization. When a specific framework applies, its retention period supersedes the practical minimum.
Firewall and Network Security Logs
Firewalls often generate among the highest volumes of logs in enterprise environments. Retention decisions balance storage costs against investigative needs.
| Log Type | What It Contains | Practical Minimum | Compliance Driver | Extended Retention |
| Traffic Logs (Allow/Deny) | Source/dest IP, port, protocol, action, bytes, timestamp | 90 days | PCI-DSS (12 mo), CIS (90 days) | 12 months if processing cards |
| Threat Logs (IPS/IDS) | Attack signatures, CVE references, threat severity | 180 days | Incident investigation | 12+ months for threat intel |
| URL Filtering Logs | User, URL category, action, timestamp | 90 days | CIS Control 8.7 | 12 months if HR/legal review needed |
| DNS Security Logs | Query, response, threat verdict | 90 days | CIS Control 8.6 | 12 months for threat hunting |
| SSL/TLS Inspection Logs | Decrypted session metadata (not content) | 90 days | Compliance verification | Per data classification policy |
| Admin/Config Changes | Who changed what, when, from where | 12 months | PCI-DSS 10.2.2, SOX | 7 years if SOX applies |
| VPN Logs | User, source IP, connect/disconnect times, bytes | 180 days | Access auditing | 12 months for remote access review |
| NAT Translation Logs | Internal-to-external IP mapping | 90 days | Incident attribution | 12 months if legally required |
Firewall Vendor Specifics (typical defaults; varies by model, version, and configuration):
| Vendor | Default Local Retention | Recommended Action |
| Palo Alto | Depends on disk size | Forward to Cortex Data Lake or SIEM |
| Fortinet | Limited (often 7 days on smaller models) | Configure FortiAnalyzer or syslog to SIEM |
| Cisco ASA/FTD | Limited local storage | Forward via syslog to centralized storage |
| Check Point | SmartLog dependent | Configure Log Exporter to SIEM |
| Sophos | Varies by model (7-90 days typical) | Forward to Sophos Central or SIEM |
| pfSense/OPNsense | Local disk only | Configure remote syslog immediately |
Critical Note: Firewall local storage is NOT a retention strategy. Local logs are overwritten quickly and lost if the device fails. Always forward to centralized storage.
Windows Server and Workstation Logs
Windows Event Logs are essential for security monitoring but require deliberate configuration. Default settings miss critical security events.
| Log Channel | Key Event IDs | Practical Minimum | Compliance Driver | Notes |
| Security | 4624/4625 (Logon success/fail) | 180 days | PCI-DSS, HIPAA, all frameworks | Enable success AND failure auditing |
| Security | 4648 (Explicit credential logon) | 180 days | Lateral movement detection | Often disabled by default |
| Security | 4672 (Special privileges assigned) | 180 days | Privilege escalation detection | Admin activity tracking |
| Security | 4688 (Process creation) | 90 days | Malware execution detection | MUST enable command-line logging |
| Security | 4720/4726 (Account created/deleted) | 12 months | PCI-DSS 10.2.5 | Unauthorized account detection |
| Security | 4732/4733 (Member added/removed from group) | 12 months | Privilege changes | Critical for admin groups |
| Security | 4768/4769/4771 (Kerberos) | 90 days | Authentication attacks | Kerberoasting, Golden Ticket |
| Security | 4776 (NTLM authentication) | 90 days | Credential attacks | Pass-the-hash detection |
| System | 7045 (Service installed) | 180 days | Persistence mechanisms | Malware often installs services |
| System | 1074/6006/6008 (Shutdown/startup) | 90 days | Availability tracking | Unexpected reboots |
| Application | Application-specific | 90 days | Troubleshooting | Varies by application |
| PowerShell | 4103/4104 (Script block logging) | 90 days | Malicious script detection | MUST enable script block logging |
| Sysmon | All (1-26) | 180 days | Advanced threat detection | Deploy Sysmon for visibility |
Windows Configuration Requirements:
CRITICAL: Default Windows logging is INSUFFICIENT for security monitoring.
Enable via Group Policy or local policy:
– Advanced Audit Policy Configuration (not Basic)
– Command Line Process Auditing (for Event 4688)
– PowerShell Script Block Logging
– PowerShell Module Logging
Deploy Sysmon for:
– Process creation with hashes
– Network connections by process
– File creation timestamps
– Registry modifications
– DNS queries
Windows Log Forwarding Options:
| Method | Best For | Consideration |
| Windows Event Forwarding (WEF) | Windows-only environments | Free, built-in, Kerberos encrypted |
| Winlogbeat (Elastic) | ELK Stack environments | Lightweight, flexible filtering |
| Splunk Universal Forwarder | Splunk environments | Full Splunk integration |
| NXLog | Multi-platform, complex routing | Open-source and enterprise versions |
| Microsoft Sentinel Agent (AMA) | Azure environments | Direct to Log Analytics |
Linux and Unix Logs
Linux logging depends on the distribution and whether systemd journal or traditional syslog is used.
| Log File/Source | What It Contains | Practical Minimum | Compliance Driver | Notes |
| /var/log/auth.log (Debian/Ubuntu) | Authentication events, sudo usage | 180 days | PCI-DSS, HIPAA | SSH logins, sudo commands |
| /var/log/secure (RHEL/CentOS) | Same as auth.log | 180 days | PCI-DSS, HIPAA | Authentication and authorization |
| /var/log/audit/audit.log | Kernel-level audit events | 180 days | CIS, NIST 800-171 | Requires auditd configuration |
| /var/log/syslog or journald | System messages, service status | 90 days | Troubleshooting | Service starts/stops/failures |
| /var/log/kern.log | Kernel messages | 90 days | Hardware/driver issues | Security module messages |
| /var/log/cron | Scheduled task execution | 90 days | Unauthorized job detection | Persistence mechanism |
| /var/log/faillog | Failed login attempts | 180 days | Brute force detection | Use faillock on modern systems |
| /var/log/lastlog | Last login per user | 180 days | Access review | Binary file, use lastlog command |
| Application logs (/var/log/nginx, apache, etc.) | Web server access/errors | 90-180 days | PCI-DSS if processing cards | Access logs critical for forensics |
Linux Audit System (auditd) Critical Rules:
# Minimum auditd rules for security monitoring:
# Monitor authentication files
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
# Monitor SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshd_config
# Monitor privileged commands
-a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -k privileged
# Monitor network configuration changes
-w /etc/hosts -p wa -k network_config
-w /etc/network/ -p wa -k network_config
# Monitor cron
-w /etc/crontab -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
Linux Log Forwarding:
| Method | Best For | Configuration |
| rsyslog | Traditional syslog forwarding | Built-in, configure /etc/rsyslog.conf |
| Fluent Bit | Kubernetes, containerized | Lightweight, cloud-native |
| Filebeat | ELK Stack | Elastic ecosystem integration |
| Vector | High-volume, complex routing | Datadog acquisition, performant |
| journald remote | systemd environments | Native journal forwarding |
Network Infrastructure Logs
Routers, switches, and wireless controllers provide network visibility essential for incident investigation.
| Device Type | Log Types | Practical Minimum | Compliance Driver | Notes |
| Core/Distribution Switches | Port up/down, MAC table, spanning tree | 90 days | Network troubleshooting | Critical for lateral movement |
| Access Switches | Port security violations, 802.1X auth | 180 days | NAC compliance | Rogue device detection |
| Routers | Routing changes, ACL hits, BGP events | 90 days | Network integrity | Configuration change tracking |
| Wireless Controllers | Client associations, rogue AP, auth | 180 days | Wireless security | Location tracking capability |
| Load Balancers | Connection logs, health checks, SSL | 90 days | Application delivery | Performance and security |
| Network TAPs/Packet Brokers | Metadata only (not full capture) | 30 days | Traffic analysis | High volume, short retention |
Network Device Syslog Severity Guidance:
| Severity | Level | Retention Recommendation |
| 0-2 (Emergency, Alert, Critical) | Always retain | 12+ months |
| 3-4 (Error, Warning) | Important | 180 days |
| 5-6 (Notice, Informational) | Operational | 90 days |
| 7 (Debug) | Troubleshooting only | 7 days or disable |
Critical: Never run production network devices at debug level continuously. Enable debug only for active troubleshooting.
DNS, DHCP, and IPAM Logs
These infrastructure services are critical for incident investigation and attribution.
| Service | What to Log | Practical Minimum | Compliance Driver | Investigation Value |
| DNS Queries | Client IP, query, response, timestamp | 90 days | CIS Control 8.6 | Malware C2 detection |
| DNS Zone Changes | Record modifications, who, when | 12 months | Change management | DNS hijacking detection |
| DHCP Leases | MAC, IP, hostname, lease time | 180 days | IP attribution | “Who had this IP at this time?” |
| DHCP Scope Changes | Configuration modifications | 12 months | Change management | Unauthorized changes |
| IPAM Transactions | IP assignments, reservations | 12 months | Asset management | Historical IP ownership |
DNS Logging Specifics:
| DNS Platform | Configuration Location | Notes |
| Windows DNS | DNS Manager → Server Properties → Debug Logging | Also enable via Audit Policy |
| BIND | named.conf querylog option | High volume; consider sampling |
| Infoblox | Grid → DNS → Logging | Centralized logging built-in |
| Pi-hole | Built-in query log | Limited retention; forward to SIEM |
| Cloudflare Gateway | Dashboard or API | Cloud-native, varies by plan |
Email and Messaging Logs
Email logs support security investigations, HR inquiries, and legal discovery.
| Log Type | What It Contains | Practical Minimum | Compliance Driver | Notes |
| SMTP Transaction Logs | Sender, recipient, subject, size, status | 180 days | Email delivery troubleshooting | NOT message content |
| Message Tracking | Full routing path per message | 90 days | Delivery investigation | Exchange/M365 built-in |
| Spam/Phishing Verdicts | Filtered messages, threat type | 180 days | Security analysis | Phishing campaign tracking |
| DLP Alerts | Policy violations, data matches | 12 months | Compliance evidence | May contain sensitive data |
| Admin Audit Logs | Mailbox access, permission changes | 12 months | PCI-DSS, HIPAA | Privileged action tracking |
| Mailbox Audit Logs | Owner/delegate/admin actions | 180 days | Insider threat detection | M365: verify enabled per mailbox |
Email Gateway Vendor Notes (verify with vendor; varies by contract and configuration):
| Platform | Default Retention | Action Required |
| Microsoft 365 Message Trace | 10 days detailed, 90 days summary | Use Purview for longer retention |
| Proofpoint | Per contract/configuration | Configure Proofpoint Archive |
| Mimecast | Per contract | Verify archive settings |
| Barracuda | Local appliance dependent | Configure cloud archive |
| Cisco Email Security | Limited local | Forward to SIEM |
Database Audit Logs
Database logs are critical for data breach investigations and compliance evidence.
| Database | Audit Capability | Practical Minimum | Compliance Driver | Performance Impact |
| SQL Server | SQL Server Audit, Extended Events | 180 days | PCI-DSS, HIPAA, SOX | Moderate (tune carefully) |
| Oracle | Unified Auditing, Fine-Grained Audit | 180 days | PCI-DSS, HIPAA, SOX | Varies by policy |
| MySQL/MariaDB | General Query Log, Audit Plugin | 90 days | Depends on data | High (general query log) |
| PostgreSQL | pgAudit extension | 180 days | Depends on data | Low-moderate |
| MongoDB | Native Auditing (Enterprise) | 90 days | Depends on data | Moderate |
| Cloud Databases | RDS/Azure SQL/Cloud SQL audit | Per cloud guidance | All frameworks | Managed by provider |
What Database Actions to Audit:
| Action Category | Priority | Compliance Requirement |
| Login success/failure | Critical | All frameworks |
| Schema changes (DDL) | Critical | SOX, PCI-DSS |
| Privilege changes (GRANT/REVOKE) | Critical | PCI-DSS, HIPAA |
| Data access (SELECT on sensitive tables) | High | PCI-DSS (CHD), HIPAA (ePHI) |
| Data modification (INSERT/UPDATE/DELETE) | High | SOX, compliance evidence |
| Stored procedure execution | Medium | Depends on content |
| Backup/restore operations | Critical | Disaster recovery evidence |
Critical: Do NOT enable full query logging in production without understanding the performance impact. Audit specific sensitive tables and privileged operations.
Endpoint Security Logs
Antivirus, EDR, and endpoint protection logs are primary sources for threat detection.
| Source | What It Contains | Practical Minimum | Compliance Driver | Notes |
| Antivirus/EPP Detections | Malware name, path, action taken | 180 days | Malware incident tracking | Include quarantine events |
| EDR Telemetry | Process trees, file writes, network | 90 days | Threat hunting | Highest value for investigation |
| EDR Alerts/Detections | Correlated threat detections | 12 months | Incident history | Lower volume, longer retention |
| Device Control | USB/removable media events | 180 days | Data exfiltration detection | PCI-DSS environments |
| Application Control | Blocked/allowed executables | 90 days | Whitelist enforcement | High volume if in audit mode |
| Host Firewall | Local connection allow/deny | 90 days | Lateral movement | Often overlooked |
EDR Platform Retention Notes
(verify current limits with vendor; subject to license tier and configuration):
| Platform | Console Retention | Long-term Option |
| CrowdStrike Falcon | ~90 days (Investigate) | Falcon Data Replicator to S3 |
| Microsoft Defender for Endpoint | ~180 days (Timeline), ~30 days (Advanced Hunting) | Stream to Sentinel |
| SentinelOne | 14-365 days (varies by license tier) | Deep Visibility data export |
| Carbon Black | Varies by deployment type | Forward to SIEM |
| Cortex XDR | License and configuration dependent | Cortex Data Lake retention |
Virtualization and Container Logs
Virtual infrastructure and container platforms require dedicated logging strategies.
| Platform | Log Types | Practical Minimum | Notes |
| VMware vCenter | Login, permission changes, VM operations | 180 days | Admin activity critical |
| VMware ESXi | hostd, vpxa, vmkernel | 90 days | Host-level events |
| Hyper-V | Hyper-V-VMMS, Hyper-V-Worker events | 90 days | Windows Event Logs |
| Kubernetes API Server | API audit logs | 90 days | Cluster-level operations |
| Kubernetes Nodes | kubelet, container runtime | 30 days | Node troubleshooting |
| Container stdout/stderr | Application output | 90 days | Application debugging |
| Docker Daemon | dockerd logs | 30 days | Container runtime events |
Kubernetes Audit Log Configuration:
# Minimum audit policy for security monitoring
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Log all requests at Metadata level
– level: Metadata
resources:
– group: “”
resources: [“secrets”, “configmaps”]
# Log authentication failures
– level: Metadata
users: [“system:anonymous”]
# Log all changes to cluster resources
– level: RequestResponse
verbs: [“create”, “update”, “patch”, “delete”]
resources:
– group: “”
resources: [“pods”, “services”, “deployments”]
Critical for Containers: Container logs are ephemeral by default. Without explicit logging configuration, logs are lost when containers restart. Deploy a log aggregation sidecar (Fluent Bit) or DaemonSet from day one.
Backup and Recovery Logs
Backup logs prove recovery capability and detect ransomware targeting backup systems.
| Log Type | What It Contains | Practical Minimum | Compliance Driver | Notes |
| Backup Job Logs | Start/end time, success/failure, size | 12 months | Disaster recovery evidence | Prove backups occurred |
| Restore Test Logs | Restore attempts, verification results | 12 months | Compliance evidence | Prove recoverability |
| Backup System Auth | Admin logins, configuration changes | 12 months | Ransomware protection | Attackers target backup credentials |
| Media Management | Tape rotations, offsite transfers | 12 months | Chain of custody | Physical media tracking |
| Replication Logs | DR replication status, lag | 90 days | RPO monitoring | Real-time protection verification |
Physical Security Logs
Badge readers and physical access logs support security investigations and may be required by compliance.
| System | Log Content | Practical Minimum | Compliance Driver | Notes |
| Badge Reader Access | Card ID, door, timestamp, grant/deny | 12 months | PCI-DSS (data centers), HIPAA | Correlate with logical access |
| Visitor Management | Visitor identity, sponsor, areas | 12 months | Facility security | Integration with badge system |
| Video Surveillance | Recorded footage | 30-90 days | Incident investigation | Storage-intensive |
| Alarm Systems | Arm/disarm, alerts, bypasses | 12 months | After-hours access | Integration with access control |
Certificate and PKI Logs
Certificate infrastructure logs support security and troubleshooting.
| Log Type | What It Contains | Practical Minimum | Compliance Driver | Notes |
| CA Audit Logs | Certificate issuance, revocation | 7 years | Certificate lifecycle | Match cert validity + buffer |
| Certificate Requests | CSR submissions, approvals/denials | 12 months | Request tracking | Who requested what |
| CRL/OCSP Logs | Revocation check requests | 90 days | Troubleshooting | High volume |
| Key Ceremony Logs | HSM access, key generation | Permanent | Compliance evidence | Critical security events |
IT Operations Log Retention Summary Table
This table provides a single reference for IT engineers to determine retention by system type.
| System Category | Log Type | Minimum Ops | PCI-DSS | HIPAA | SOX | CIS Baseline |
| Firewall | Traffic (allow/deny) | 90 days | 12 mo | 6 yr | 7 yr | 90 days |
| Firewall | Threat/IPS | 180 days | 12 mo | 6 yr | 7 yr | 90 days |
| Firewall | Admin changes | 12 months | 12 mo | 6 yr | 7 yr | 90 days |
| Windows | Security Event Log | 180 days | 12 mo | 6 yr | 7 yr | 90 days |
| Windows | PowerShell/Sysmon | 90 days | 12 mo | 6 yr | 7 yr | 90 days |
| Linux | auth.log/secure | 180 days | 12 mo | 6 yr | 7 yr | 90 days |
| Linux | auditd | 180 days | 12 mo | 6 yr | 7 yr | 90 days |
| Network Devices | Syslog (sev 0-4) | 90 days | 12 mo | 6 yr | 7 yr | 90 days |
| DNS | Query logs | 90 days | 12 mo | 6 yr | 7 yr | 90 days |
| DHCP | Lease logs | 180 days | 12 mo | 6 yr | 7 yr | 90 days |
| SMTP/tracking | 180 days | 12 mo | 6 yr | 7 yr | 90 days | |
| Database | Audit logs | 180 days | 12 mo | 6 yr | 7 yr | 90 days |
| EDR/AV | Detections | 180 days | 12 mo | 6 yr | 7 yr | 90 days |
| EDR | Telemetry | 90 days | 12 mo | 6 yr | 7 yr | 90 days |
| Virtualization | Admin/operations | 180 days | 12 mo | 6 yr | 7 yr | 90 days |
| Containers | API audit | 90 days | 12 mo | 6 yr | 7 yr | 90 days |
| Backup | Job logs | 12 months | 12 mo | 6 yr | 7 yr | 90 days |
| Physical Access | Badge events | 12 months | 12 mo | 6 yr | 7 yr | N/A |
| PKI/Certificates | CA audit | 7 years | 12 mo | 6 yr | 7 yr | 90 days |
How to read this table:
- “Minimum Ops” = recommended baseline for operational/investigation needs regardless of compliance (guidance, not mandate)
- Framework columns show regulatory requirements where applicable
- Find your applicable frameworks and use the longest period
- Example: Healthcare org with firewalls → HIPAA applies → 6 years for firewall logs
- Always verify current framework requirements against authoritative sources listed in Resources
Cloud Platform Default Retention Gaps
Most cloud platforms and SaaS services have default log retention periods that do not meet compliance requirements. IT teams must explicitly configure extended retention or export logs to long-term storage.
Verification Note: Cloud platform defaults change as vendors update their services. The values below reflect documented defaults as of January 2025. Always verify current retention settings against official vendor documentation before making compliance decisions. Links to authoritative documentation are provided in the Resources section.
Amazon Web Services (AWS)
| Service | Default Retention | Compliance Gap | Required Action |
| CloudTrail Event History | 90 days | Does not meet PCI-DSS 12-month requirement | Create trail with S3 destination; configure S3 lifecycle policies |
| CloudWatch Logs | Never expires (costly) | Cost-prohibitive for long-term | Set retention policy per log group; export to S3 for cold storage |
| VPC Flow Logs | Destination-dependent | No native long-term option | Send to S3 with lifecycle policy or CloudWatch with export |
| GuardDuty Findings | 90 days | Insufficient for incident forensics | Export to S3 via EventBridge or enable Detective |
| RDS/Aurora Logs | 7 days (error logs) | Far below any compliance standard | Publish to CloudWatch Logs; configure retention |
| Security Hub Findings | 90 days | Insufficient for compliance | Export to S3 via EventBridge automation |
| WAF Logs | No native retention | Must configure destination | Send to S3, CloudWatch, or Kinesis Firehose |
| ELB Access Logs | No automatic deletion | Unmanaged growth in S3 | Configure S3 lifecycle policy |
AWS Best Practice: Use S3 with Intelligent-Tiering or Glacier transitions for cost-effective long-term retention. Enable S3 Object Lock for WORM compliance where required (SEC 17a-4, FINRA).
Microsoft Azure
| Service | Default Retention | Compliance Gap | Required Action |
| Activity Log | 90 days | Does not meet PCI-DSS | Export to Log Analytics workspace or Storage Account |
| Entra ID Sign-in Logs | 7 days (Free), 30 days (P1/P2) | Severely insufficient | Configure Diagnostic Settings to Log Analytics or Storage |
| Entra ID Audit Logs | 7 days (Free), 30 days (P1/P2) | Severely insufficient | Configure Diagnostic Settings to Log Analytics or Storage |
| NSG Flow Logs | Storage account dependent | No default policy | Configure Storage Account lifecycle management |
| Microsoft Sentinel | 90 days interactive (free tier) | Cost increases with retention | Configure archive tiers; use Basic Logs for cost optimization |
| Defender for Cloud Alerts | 90 days | Limited forensic window | Export via continuous export to Log Analytics or Event Hub |
| Azure Firewall Logs | Log Analytics dependent | Pay-per-retention | Set workspace retention; archive to Storage Account |
| Key Vault Logs | Not enabled by default | No visibility without action | Enable Diagnostic Settings |
Azure Best Practice: Use Log Analytics workspace with tiered retention (interactive to archive to Storage Account with cool/archive tiers). Configure Diagnostic Settings for every security-relevant service.
Microsoft 365
| Service | Default Retention | Compliance Gap | Required Action |
| Unified Audit Log (E3) | 180 days | Does not meet HIPAA 6-year or SOX 7-year | Upgrade to E5 or use third-party archival |
| Unified Audit Log (E5) | 1 year default, up to 10 years | Requires explicit policy configuration | Create Audit Log Retention Policies in Microsoft Purview |
| Exchange Message Trace | 10 days (detailed), 90 days (summary) | Insufficient for security investigation | Use Purview eDiscovery or third-party archival |
| Defender for Endpoint Timeline | 180 days | Generally sufficient; verify against policy | Enable raw data export for longer retention |
| Defender Advanced Hunting | 30 days | Very limited for threat hunting | Stream to Sentinel or external SIEM |
M365 Best Practice: E5 licensing with Purview Audit (Premium) retention policies is required for multi-year compliance. Configure Microsoft Graph API export for independent archival of critical logs.
Google Cloud Platform (GCP)
| Service | Default Retention | Compliance Gap | Required Action |
| Cloud Audit Logs (Admin Activity) | 400 days | Meets PCI-DSS; insufficient for HIPAA/SOX | Configure log sink to Cloud Storage with retention policy |
| Cloud Audit Logs (Data Access) | 30 days | Does not meet any major framework | Enable and route to Cloud Storage immediately |
| Cloud Audit Logs (System Event) | 400 days | Same as Admin Activity | Configure sink for longer retention |
| Cloud Logging (Application) | 30 days | Insufficient | Create log sink; configure Cloud Storage lifecycle |
| VPC Flow Logs | 30 days | Insufficient | Export via log sink to Cloud Storage |
| Cloud Load Balancing Logs | 30 days in Logging | Insufficient | Configure export to BigQuery or Cloud Storage |
GCP Best Practice: Create organization-level log sinks to Cloud Storage with Object Lifecycle Management. Use BigQuery for queryable long-term retention of security-critical logs.
Security and Identity Platforms
| Platform | Service | Default Retention | Required Action |
| CrowdStrike | Falcon Console | Limited query window | Enable Falcon Data Replicator (FDR) to S3 |
| Okta | System Log | 90 days | Configure Log Streaming to SIEM or cloud storage |
| Duo | Admin Logs | 180 days | Use Admin API for export to long-term storage |
| SentinelOne | Deep Visibility | 14 days default | Upgrade retention tier or export to SIEM |
| Zscaler | Log Retention | 6 months typical | Configure Nanolog Streaming Service (NSS) for archival |
| Palo Alto | Cortex Data Lake | License-dependent | Verify contract terms; configure Log Forwarding App |
SaaS and Collaboration Platforms
| Platform | Default Retention | Compliance Gap | Required Action |
| Slack (Business+) | 1 year messages; audit logs vary | May require Enterprise Grid | Configure Enterprise Grid with Discovery API export |
| Slack (Enterprise Grid) | Configurable | Requires explicit policy | Set org-wide retention; use Audit Logs API |
| GitHub Enterprise | 180 days audit log | Insufficient for most compliance | Use Audit Log Streaming to SIEM or cloud storage |
| Salesforce | Setup Audit Trail 180 days | Insufficient | Enable Salesforce Shield Event Monitoring; export |
| Atlassian Cloud | Audit logs 180 days | Insufficient | Use Atlassian Access (Premium) with SIEM forwarding |
| Box | Enterprise Events 7 years (Enterprise plan) | Generally compliant | Verify plan level; enable Events Stream for SIEM |
| Zoom | 1 year for most logs | Verify against requirements | Use Zoom Reports API for archival export |
| ServiceNow | Table rotation policies vary | Check specific tables | Configure archive tables; export to data lake |
Infrastructure and Database
| Platform | Default Retention | Compliance Gap | Required Action |
| Kubernetes Audit Logs | Node-local; lost on termination | Critical gap | Deploy Fluentd/Fluent Bit to ship to persistent storage |
| Docker Container Logs | None (ephemeral) | Complete gap | Configure logging driver to persistent storage |
| MongoDB Atlas | 30 days audit logs | Insufficient | Configure third-party log integration |
| Snowflake | Query History 365 days | Generally meets PCI-DSS | Use Account Usage views for longer analysis |
| Elastic Cloud | Index lifecycle dependent | Must configure ILM | Set Index Lifecycle Management policies |
Storage Tier Implementation
Effective log retention balances access speed, storage cost, and compliance requirements.
| Tier | Typical Retention | Storage Type | Use Case | Relative Cost |
| Hot | 1-7 days | SSD/NVMe, Fully Indexed | Real-time alerting, active investigations | $$$$$ (Highest) |
| Warm | 30-90 days | HDD/Hybrid, Partially Indexed | Historical analysis, threat hunting | $$$ (Moderate) |
| Cold | Months to 1 year | Object Storage (S3 Standard-IA, Azure Cool) | Compliance retention, infrequent forensics | $$ (Low) |
| Frozen/Archive | Years (1-7+) | Glacier, Archive Tier, Tape | Long-term compliance, legal hold | $ (Lowest) |
Cost optimization strategies:
- Compression: Most log data compresses 80-90%
- Selective retention: Full fidelity for security logs; sampled/aggregated for operational logs
- Log level adjustment: Reduce DEBUG/TRACE in production unless actively troubleshooting
- Deduplication: Eliminate redundant log collection paths
Secure Destruction Requirements
When retention periods expire, logs must be securely destroyed following NIST SP 800-88 Guidelines for Media Sanitization:
Clear: Logical techniques (overwriting) protecting against simple recovery. Acceptable for non-sensitive data on media being reused within the organization.
Purge: Physical or logical techniques (degaussing, cryptographic erase) rendering recovery infeasible with state-of-the-art laboratory techniques. Required for sensitive data on media leaving organizational control.
Destroy: Physical destruction (shredding, incineration, disintegration) rendering recovery infeasible and the media unusable.
Documentation requirement: Maintain destruction certificates including date, method, personnel performing destruction, and verification method. Retain destruction certificates for minimum 7 years.
Implementation Checklist
For each cloud service and SaaS platform in your environment:
- [ ] Document default retention period for each log-generating service
- [ ] Identify controlling compliance requirement (use most restrictive)
- [ ] Calculate retention gap (required period minus default)
- [ ] Configure export/streaming to long-term storage
- [ ] Set lifecycle policies for tiered storage transitions (hot → warm → cold → archive)
- [ ] Verify log integrity controls (immutability, checksums, WORM where required)
- [ ] Test retrieval from cold/archive storage before audit
- [ ] Document configuration in system security plan
- [ ] Establish automated alerts for retention policy failures
- [ ] Schedule annual review of retention requirements against framework updates
Authoritative Sources and Resources
Primary Regulatory Sources
Payment Card Industry
- PCI Security Standards Council: https://www.pcisecuritystandards.org/
- Document Library (PCI-DSS 4.0): https://www.pcisecuritystandards.org/document_library/
- Effective Daily Log Monitoring Guidance: https://www.pcisecuritystandards.org/documents/Effective-Daily-Log-Monitoring-Guidance.pdf
Healthcare (HIPAA)
- HHS HIPAA Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/index.html
- 45 CFR Part 164: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
- Technical Safeguards Guidance: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Financial (SOX, SEC, FINRA, GLBA)
- SEC Sarbanes-Oxley Act: https://www.sec.gov/about/laws/soa2002.pdf
- SEC Rule 17a-4: https://www.sec.gov/rules/final/34-38245.txt
- FINRA Rule 4511: https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511
- FTC GLBA Safeguards Rule: https://www.ftc.gov/legal-library/browse/rules/safeguards-rule
Federal Guidance (NIST)
- NIST SP 800-92 (Log Management): https://csrc.nist.gov/pubs/sp/800/92/final
- NIST SP 800-171 Rev 2: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
- NIST SP 800-88 Rev 1 (Media Sanitization): https://csrc.nist.gov/pubs/sp/800/88/r1/final
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
International Standards
- ISO 27001:2022: https://www.iso.org/standard/27001
- ISO 27002:2022: https://www.iso.org/standard/75652.html
Industry Best Practices
- CIS Controls v8: https://www.cisecurity.org/controls
- CIS Control 8 (Audit Log Management): https://www.cisecurity.org/controls/audit-log-management
Privacy Regulations
- GDPR Official Text: https://gdpr.eu/
- CCPA/CPRA (California AG): https://oag.ca.gov/privacy/ccpa
Employment and Safety
- OSHA Recordkeeping: https://www.osha.gov/recordkeeping
- 29 CFR 1910.1020: https://www.osha.gov/laws-regs/regulations/standardnumber/1910/1910.1020
- DOL FLSA Recordkeeping: https://www.dol.gov/agencies/whd/flsa
- EEOC Recordkeeping: https://www.eeoc.gov/employers/recordkeeping-requirements
- IRS Record Retention: https://www.irs.gov/businesses/small-businesses-self-employed/how-long-should-i-keep-records
Cloud Platform Documentation
Amazon Web Services
- CloudTrail: https://docs.aws.amazon.com/cloudtrail/
- CloudWatch Logs: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/
- S3 Lifecycle: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
- Security Hub: https://docs.aws.amazon.com/securityhub/
Microsoft Azure
- Activity Log: https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log
- Log Analytics: https://docs.microsoft.com/azure/azure-monitor/logs/log-analytics-overview
- Microsoft Sentinel: https://docs.microsoft.com/azure/sentinel/
Microsoft 365
- Unified Audit Log Retention: https://docs.microsoft.com/microsoft-365/compliance/audit-log-retention-policies
- Microsoft Purview: https://docs.microsoft.com/microsoft-365/compliance/
Google Cloud Platform
- Cloud Logging: https://cloud.google.com/logging/docs
- Cloud Audit Logs: https://cloud.google.com/logging/docs/audit
Glossary
| Term | Definition |
| Audit Trail | Chronological record providing documentary evidence of the sequence of activities affecting a specific operation, procedure, or event |
| Business Associate | Under HIPAA, a person or entity performing functions involving use or disclosure of PHI on behalf of a covered entity |
| Chain of Custody | Documentation showing seizure, custody, control, transfer, analysis, and disposition of evidence |
| Covered Entity | Under HIPAA: health plans, healthcare clearinghouses, and healthcare providers transmitting health information electronically |
| CUI | Controlled Unclassified Information requiring safeguarding per law, regulation, or government-wide policy |
| ePHI | Electronic Protected Health Information created, stored, transmitted, or received electronically |
| Hot Storage | High-performance, immediately accessible storage (SSD/NVMe) for real-time analysis |
| Litigation Hold | Legal requirement to preserve all relevant documents when litigation is reasonably anticipated |
| SIEM | Security Information and Event Management technology aggregating, correlating, and analyzing security events |
| WORM | Write Once Read Many storage preventing modification or deletion after initial write |
Ready to Test Your Knowledge?
This document provides general guidance based on publicly available regulatory requirements as of January 2026. Organizations should consult qualified legal counsel and compliance professionals to determine specific obligations. Retention requirements are subject to change through regulatory amendment. Always verify against primary authoritative sources.
