Log Retention Guidelines

This document exists to guide 桃瘾社区 Technology & Innovation (鈥淭&I鈥) staff and others who administer information technology (鈥淚T鈥) systems for 桃瘾社区 regarding the minimum and maximum retention standards for system log files.

A log file or 鈥渓og鈥 is the generic term for any information technology based event or activity record, including but not limited to, access, network, and/or security information involving status, successes, failures, and activity.听

Logs: Categories and Purposes

For the purposes of these guidelines, logs are categorized into four types with the recognition that categorizing a set of records into a single type of log may be difficult as some logs have more than one purpose.

  • Access Logs: Records regarding authentication or authorization to an information technology resource, along with physical access control logs. These include records of successful and unsuccessful attempts to access college technology systems and services and metadata about these attempts.
  • System Logs: Records pertaining to the operation, use and health of a system, application or other IT element. Examples of system logs include application (web, ERP, application, cloud service), database, or system (syslog, event) logs, as well as remote access logs, or other records of user activity after authentication to a system.
  • Network Logs: Records pertaining to network communications, including the establishment, association, or resolution, of a connection between two communicating technology devices. Examples of network logs include DHCP lease logs, NPS logs, DNS query logs, network flow data, address translation (NAT/PAT) logs, router/switch logs, telephony/telecommunications records (including call detail records), wireless controller logs, and SMTP logs.听
  • Security Logs: Records that pertain to possible or actual policy violations, computer intrusions, malicious activity, misuse of resources, illegal or unsanctioned activity, privacy violations, and all other security records. Examples of security logs would include anti-virus/endpoint protection service logs, intrusion detection/prevention system records, incident records, and packet captures.

Logging systems are designed to capture metadata around the use of services. 桃瘾社区 logging systems should not, to the maximum extent possible, capture the content of encrypted application communications (such as the content of emails, files, voicemail messages or other documents), and all such requests for those data should be made in accordance with the College Access to Electronic Communications Policy.

However, metadata captured in logs may include the IP or other network address a student, employee or visitor is using when accessing external websites, including: geolocation; the URL or resource name of websites accessed; email recipients, subject lines and other communications metadata; location information and other identifying material. Individuals using 桃瘾社区 systems should be aware that their use of such IT services and systems is monitored in accordance with 桃瘾社区 policy.

Recommended Log Retention Periods听

鈥淢inimum Period of Readily Accessible Logging鈥 is defined as the time period for which records are available for immediate review in 桃瘾社区鈥檚 logging systems to support IT system administration, security investigations, authorized external requests and other accesses.听 Readily accessible means that the record should be available for on-demand, real-time search and retrieval by T&I staff.

鈥淢aximum Period of Archival Logging (Overall Retention Period)鈥 defines the maximum time that log files should be maintained. Log files, including backup copies, should not be retained after these time periods. Note: while 桃瘾社区 works to maintain the maximum retention period, the possibility exists that, due to previously undiscovered logs or records or developing or future forensic technologies, logs records archived or purged may be recoverable.

Type of Log

Minimum Period of Readily Accessible Logging

From the time the record was generated

Maximum Period of Archival Logging (Overall Retention Period)

From the time the record was generated

Access Logs

180 days

365 days

System Logs

60 days

365 days

Network Logs

60 days

365 days

Security Logs

Automated alerting of possible security events by security systems:

90 days

Staff-created records of security events and incidents:

365 days

Automated alerting of possible security events by security systems:

365 days

Staff-created records of security events and incidents:

1 year (events not leading to incidents)

5 years or indefinite (incidents, law enforcement or legal requests, etc.)

Recommended Log Retention Periods for Vendor-Hosted Systems

In circumstances where 桃瘾社区 contracts the operation of IT services to third parties (such as in the use of software as a service or SaaS solutions), T&I staff should inquire as to the logging practices of vendors during the initial contracting phase to understand any variance between 桃瘾社区 guidelines and vendor practices.

For services where 桃瘾社区 can configure log retention within a system, authorized 桃瘾社区 T&I staff should work to mirror these guidelines to the extent possible.

Access to Log Files

Authorized 桃瘾社区 staff may routinely access and use log files in accordance with their professional responsibilities, in line with the uses anticipated by the College Access to Electronic Communications Policy.

All requests from 桃瘾社区 students, faculty and staff for log file access or information should follow the process documented in the College Access to Electronic Communications policy.

All requests from third parties, including requests from law enforcement agencies or legal subpoenas, must be reviewed by the Vice President and General Counsel to obtain authorization to proceed.

Last revised听April 7, 2022