Main Nav

Message from hoggatta@otc.edu

Greetings all,

 

We have been reviewing our current process for logging Internet use of students/faculty/staff.  One aspect we’ve been debating is how long to store the firewall logs for Internet use of our users.  This includes building and teardown of connections, as well as NAT translation records.  Our perimeter firewall generates a copious amount of logs per day and we are trying to determine how long “long enough” is.

 

Would anyone be willing to share their input as to how long they store this type of information.  Any and all input is greatly appreciated.

 

Thank You,

 

Andy Hoggatt

Ozarks Technical Community College

Network Security Systems Administrator

hoggatta@otc.edu

417.447.7535

 

Comments

Message from educause-lists@nathanielhall.com

IMHO, I would say it would be acceptable to keep the current semester logs plus the previous semesters.  Since most packages will use a rotation specified in weeks, I would probably say about 30 weeks of active logs.  You should also keep in mind that you can keep X number of weeks active and the remaining weeks archived on tape.  That will help you maintain disk space while keeping the logs available for needed situations.

It is also important to consult with the schools legal council.  They may request a minimum or maximum of 30, 60, 90 days or more.
-- I am many things, but I am not a lawyer, accountant, or agent of the federal, state, or local government. Nathaniel Hall
On 1/5/2012 4:12 PM, HOGGATT, ANDY F. wrote:

Greetings all,

 

We have been reviewing our current process for logging Internet use of students/faculty/staff.  One aspect we’ve been debating is how long to store the firewall logs for Internet use of our users.  This includes building and teardown of connections, as well as NAT translation records.  Our perimeter firewall generates a copious amount of logs per day and we are trying to determine how long “long enough” is.

 

Would anyone be willing to share their input as to how long they store this type of information.  Any and all input is greatly appreciated.

 

Thank You,

 

Andy Hoggatt

Ozarks Technical Community College

Network Security Systems Administrator

hoggatta@otc.edu

417.447.7535

 

To me, "acceptable" is the lowest common denominator, not ideal.

I think you should first define a policy on the purpose of keeping such log information, and publish it in your AUP.  Is it for monitoring users, or is it for troubleshooting problems or issues?  I suspect most of us fall into the latter, and for that purpose 30 days should be more than adequate.  You also should consider a policy of what, if anything, you do with that log information you collect and hold for whatever time you determine.

My personal thought is that the more user information you log and store, the more responsibility IT has should an issue arise.  After all, "it was in your logs, why didn't you catch it and do something about it"

Just my two cents...  And I concur if you have any questions, work with your legal team.

---
Dave Koontz
Mary Baldwin College


On 1/5/2012 6:08 PM, Nathaniel Hall wrote:
IMHO, I would say it would be acceptable to keep the current semester logs plus the previous semesters.  Since most packages will use a rotation specified in weeks, I would probably say about 30 weeks of active logs.  You should also keep in mind that you can keep X number of weeks active and the remaining weeks archived on tape.  That will help you maintain disk space while keeping the logs available for needed situations.

It is also important to consult with the schools legal council.  They may request a minimum or maximum of 30, 60, 90 days or more.
-- I am many things, but I am not a lawyer, accountant, or agent of the federal, state, or local government. Nathaniel Hall
On 1/5/2012 4:12 PM, HOGGATT, ANDY F. wrote:

Greetings all,

 

We have been reviewing our current process for logging Internet use of students/faculty/staff.  One aspect we’ve been debating is how long to store the firewall logs for Internet use of our users.  This includes building and teardown of connections, as well as NAT translation records.  Our perimeter firewall generates a copious amount of logs per day and we are trying to determine how long “long enough” is.

 

Would anyone be willing to share their input as to how long they store this type of information.  Any and all input is greatly appreciated.

 

Thank You,

 

Andy Hoggatt

Ozarks Technical Community College

Network Security Systems Administrator

hoggatta@otc.edu

417.447.7535

 

On 01/05/2012 05:08 PM, Dave Koontz wrote: > My personal thought is that the more user information you log and store, the > more responsibility IT has should an issue arise. After all, "it was in your > logs, why didn't you catch it and do something about it" The longer you keep logs, the more you open yourself up to discovery requests should a suit or other legal action arise. The more data to go through, the more man hours it takes to do so. I'm not saying to dump your logs as fast as possible, but you need to keep discovery in mind as well as why you need the logs in the first place (troubleshooting, monitoring, etc). You should sit down with your campus lawyer(s) and discuss this with them as well as asking for advice here. They may have some important input to the process that you will need to keep in mind as you work this out. -- Mike Iglesias Email: iglesias@uci.edu University of California, Irvine phone: 949-824-6926 Office of Information Technology FAX: 949-824-2270
Message from valdis.kletnieks@vt.edu

On Thu, 05 Jan 2012 19:37:44 PST, Mike Iglesias said: > The longer you keep logs, the more you open yourself up to discovery requests > should a suit or other legal action arise. The more data to go through, the > more man hours it takes to do so. I'm not saying to dump your logs as fast as > possible, but you need to keep discovery in mind as well as why you need the > logs in the first place (troubleshooting, monitoring, etc). > > You should sit down with your campus lawyer(s) and discuss this with them as > well as asking for advice here. They may have some important input to the > process that you will need to keep in mind as you work this out. What the heck, I just posted this URLa few seconds ago on a similar thread on NANOG... https://www.eff.org/wp/osp - Best Practices for Online Service Providers. And what Mike said - take the EFF recommendations and run them past a lawyer you paid to give you advice. With luck, you'll find a policy that makes both the EFF and your lawyer happy. :)

Andy,

A group of security officers in Iowa developed a guideline a few years ago to assist with log retention decision making for three general categories of logs. We suggest minimum retention of 30 days for NAT logs, with maximum retention of one year.  See http://itsecurity.uiowa.edu/bestprac/borlogguide.shtml for the full guideline.  I would echo that keeping logs no longer than for what their intended purpose is, is a best practice.      

 

Jane Drews

University of Iowa

 

 

We are in the process of migrating wireless networks from NAT to PAT, it's hard to estimate how big the daily PAT log will be.

But keeping one semester's log seems minimum to me. Indeed, we haven't received any request (so far) of tracking down a specific "incident" across semesters.

On Thu, 2012-01-05 at 17:08 -0600, Nathaniel Hall wrote:
IMHO, I would say it would be acceptable to keep the current semester logs plus the previous semesters.  Since most packages will use a rotation specified in weeks, I would probably say about 30 weeks of active logs.  You should also keep in mind that you can keep X number of weeks active and the remaining weeks archived on tape.  That will help you maintain disk space while keeping the logs available for needed situations.

It is also important to consult with the schools legal council.  They may request a minimum or maximum of 30, 60, 90 days or more. -- I am many things, but I am not a lawyer, accountant, or agent of the federal, state, or local government. Nathaniel Hall
On 1/5/2012 4:12 PM, HOGGATT, ANDY F. wrote:
Greetings all,

 

We have been reviewing our current process for logging Internet use of students/faculty/staff.  One aspect we’ve been debating is how long to store the firewall logs for Internet use of our users.  This includes building and teardown of connections, as well as NAT translation records.  Our perimeter firewall generates a copious amount of logs per day and we are trying to determine how long “long enough” is.

 

Would anyone be willing to share their input as to how long they store this type of information.  Any and all input is greatly appreciated.

 

Thank You,

 

Andy Hoggatt

Ozarks Technical Community College

Network Security Systems Administrator

hoggatta@otc.edu

417.447.7535

 



--
Leo Song, Senior Analyst & Cluster Lead
Computing and Communication Services - Networking and Security
University of Guelph
(519) 824-4120 x 53181


Message from john.ladwig@so.mnscu.edu

I like how University of Iowa’s published their guidelines, and they match up well with about a decade and a half of incident-handling work by and around me.  Most incidents hit your radar within 30 days, and better than 95% will hit within 180 days.  At the moment, I can’t recall any time when I’ve seen a reasonable request for log data that stretched back more than one year.

 

That said, US-DoJ keeps asking for 2 years,  and I believe a couple of the EU nations have 2 year retention mandates for ISPs, at least.

 

   -jml

 

Message from hoggatta@otc.edu

 

 

Thanks to everyone who put their two cents in on log retention.  Your input has been very helpful.

 

Regards,

 

Andy

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.