What is an event log?

An event log, also known as an audit trail or log, is a record that documents actions taken by computer systems, applications and users.

These logs are essential for IT security, troubleshooting, regulatory compliance and business monitoring.

Archives – Photo by Galen Crout on Unsplash

Here are some key points to understand about event logs:

Contents of an Event Log

A typical event log may include information such as :

  • Date and time of event.
  • Type of event, which can indicate whether it is an error, warning, information, or safety activity, among others.
  • Event source, which can be the name of the software, operating system or hardware component that generated the event.
  • Event ID, a unique code assigned to each type of event for easy identification.
  • User concerned or account associated with the event, if applicable.
  • Detailed description of the event, which can include specific information on the action taken, the results and any associated error messages.

Event log producers

Event logs are generated by a variety of sources within an IT environment, including :

  • Operating systems: Windows, Linux, macOS and other operating systems generate logs to track system activities and user interactions.
  • Applications and software: Business applications, databases, web servers and other software produce logs to document internal operations and user transactions.
  • Security components: Firewalls, intrusion prevention systems, antivirus software and other security tools generate security event logs to track access attempts, detected threats and security actions taken.
  • Network devices: Routers, switches and other network devices record network traffic and performance events.

Why do they exist?

Event logs are used to :

  • Security monitoring: Detect suspicious or unauthorized activity and respond to security incidents.
  • Investigating incidents: After an incident, logs can be used to identify who carried out what actions and how. This information is essential for containing damage and preventing its recurrence.
  • Regulatory compliance: Demonstrate compliance with safety standards and regulations by maintaining a history of activities.
  • Troubleshooting: Identify and solve system or application problems by analyzing events recorded before or at the time of the incident.
  • Performance analysis: Evaluate system and application performance by examining recorded activities.

So how long do you keep event logs?

How long event logs are kept depends on several crucial factors:

  • Types of information : Sensitive, security-critical data or data linked to financial transactions may require extended retention.
  • Applicable standards and laws: Legal or regulatory requirements vary depending on the business sector (e.g. PCI DSS for card transactions, HIPAA for healthcare data).
  • Business objectives : Performance analysis, troubleshooting and incident prevention can also influence log retention times.
  • Internal policies: Each organization must develop guidelines based on its specific needs, risk assessments and contractual obligations.

ISO 27001

ISO 27001 does not specify an exact retention period, but requires that each organization :

  • Assess risks to define needs.
  • Define log management policies.
  • Implement controls for their collection, storage and destruction.
  • Personally, I suggest 6 months to 1 year.

PCI DSS

These requirements apply specifically in the context of credit card transaction management, where event traceability is crucial to detecting and responding to potential security breaches. Logs must be kept for :

  • **At least one year **in archive
  • Easily accessible for the** last three months.**

HIPAA

HIPAA requires that logs related to protected health information be kept for a period of time:

  • At least six years.

CAN/CIOSC 104:2021 (CyberSecure Canada)

The standard does not specifically mention the length of time logs must be kept, but the Government of Canada does provide recommendations:

A retention period of

  • 2 years after last administrative use for information of operational value in IT or security processes.

For cloud service providers:

  • At least 90 days

Reference: https://www.canada.ca/fr/gouvernement/systeme/gouvernement-numerique/securite-confidentialite-ligne/guide-sur-la-consignation-evenements.html

Bill 25 (Protection of personal information, Quebec)

Organizations are required to keep records of confidentiality incidents for five years following the date or period during which the company became aware of the incident (Article 3.8).

I invite you to click on “Follow” to continue learning more about the field of information security.