What Do You Do with Audit and Event Logs?

By Roger Poole posted 05-19-2010 10:10


**Views expressed in this blog are my personal views and not those of my employer. Any reference to any living person or organisation, past or present, is entirely co-incidental**

As any blogger is allowed to do, let me play devil’s advocate for a moment.

We may think we speak the same language, and profess to share common objectives with our technology counterparts, but occasionally the chasm opens up between us to reveal just how far apart it is possible to be.  

Let me lay before you an example – audit/event logs.

I have engaged in a number of conversations over recent weeks regarding the treatment of system audit logs from a Records Management perspective, in particular regarding retention.  I thought it may help to share some of these here in the hope that it may widen the debate.

I started with the difficulty encountered when seeking to define the “what” question – “exactly what you are referring to… help me narrow it down a bit”

“Well”, came the responses, and we began….:

  • Logging security related events, used to identify and track external or internal attacks - Information Security  
  • Real time intrusion detection logs – Information Security
  • Recording changes made to a system in a log – Change management
  • The creation of an audit trail down to key stroke level – Investigations / Forensics
  • Identifying policy violations – Information Security
  • Optimising system and network performance – Information Technology
  • Identifying operational trends and long term problems - Information Technology

The picture doesn’t get any clearer when, as you trawl through the Internet looking for that compelling piece of guidance, law or regulation you constantly return the well meaning commentary, which I broadly paraphrase:

  • developing specific recommendations is very difficult because there is no consensus
  • retain activity logs for 3 to 7 years
  • logs are required to be retained for SOX purposes
  • retain as required by local law or regulation……

… you don’t say…

But one thing is clear, amongst the myriad of descriptions and purposes attributed to computer generated logs, there is consensus on a few things across the technology industry:

  • Logs are important – you only need to consider what they could prove or disprove
  • They are big and getting bigger – the logs have a huge propensity to consume storage
  • Some uses are well defined – Information Security for instance
  • Others are less so – for instance the real potential to evidence management control

So what is the answer… these logs started out for administrative purposes but are gradually (well, as gradually as the poles are melting) morphing into something else; something far more challenging and interesting to the Records Manager. Or do we simply fall back on retaining logs indefinitely because they underpin a transaction and ride out all the inevitable  arguments regarding storage capacity....or none of the above.


#change #Security #ElectronicRecordsManagement #retention #SOX #auditlogs #eventlogs #regulations #audittrail
1 comment


07-07-2017 10:40

​This is an old community entry. But I'd like to revive it because it becomes relevant for us.
So I'd like to repeat the question so well formulated by my AIIM colleague: what to do with archive system logs.

My 5 cts would be: the logs are owned by the 'data controller', so the IT archive owner. They are not related/linked to individual legal records in the archve. Rather they belong to the archive system. So my thoughts are: keep the logs indefinitely, on the cheapest storage you can find. And keep 1 year's worth in our hadoop based cold archive, where it can be retrieved via report viewing.

Let me know your thoughts?