Log Retention Guidelines

This document exists to guide Davidson College Technology & Innovation (“T&I”) staff and others who administer information technology (“IT”) systems for Davidson regarding the minimum and maximum retention standards for system log files.

A log file or “log” is the generic term for any information technology based event or activity record, including but not limited to, access, network, and/or security information involving status, successes, failures, and activity. 

Logs: Categories and Purposes

For the purposes of these guidelines, logs are categorized into four types with the recognition that categorizing a set of records into a single type of log may be difficult as some logs have more than one purpose.

  • Access Logs: Records regarding authentication or authorization to an information technology resource, along with physical access control logs. These include records of successful and unsuccessful attempts to access college technology systems and services and metadata about these attempts.

     
  • System Logs: Records pertaining to the operation, use and health of a system, application or other IT element. Examples of system logs include application (web, ERP, application, cloud service), database, or system (syslog, event) logs, as well as remote access logs, or other records of user activity after authentication to a system.

     
  • Network Logs: Records pertaining to network communications, including the establishment, association, or resolution, of a connection between two communicating technology devices. Examples of network logs include DHCP lease logs, NPS logs, DNS query logs, network flow data, address translation (NAT/PAT) logs, router/switch logs, telephony/telecommunications records (including call detail records), wireless controller logs, and SMTP logs. 

     
  • Security Logs: Records that pertain to possible or actual policy violations, computer intrusions, malicious activity, misuse of resources, illegal or unsanctioned activity, privacy violations, and all other security records. Examples of security logs would include anti-virus/endpoint protection service logs, intrusion detection/prevention system records, incident records, and packet captures.

Logging systems are designed to capture metadata around the use of services. Davidson logging systems should not, to the maximum extent possible, capture the content of encrypted application communications (such as the content of emails, files, voicemail messages or other documents), and all such requests for those data should be made in accordance with the College Access to Electronic Communications Policy.

However, metadata captured in logs may include the IP or other network address a student, employee or visitor is using when accessing external websites, including: geolocation; the URL or resource name of websites accessed; email recipients, subject lines and other communications metadata; location information and other identifying material. Individuals using Davidson systems should be aware that their use of such IT services and systems is monitored in accordance with Davidson policy.

Recommended Log Retention Periods 

“Minimum Period of Readily Accessible Logging” is defined as the time period for which records are available for immediate review in Davidson’s logging systems to support IT system administration, security investigations, authorized external requests and other accesses.  Readily accessible means that the record should be available for on-demand, real-time search and retrieval by T&I staff.

“Maximum Period of Archival Logging (Overall Retention Period)” defines the maximum time that log files should be maintained. Log files, including backup copies, should not be retained after these time periods. Note: while Davidson works to maintain the maximum retention period, the possibility exists that, due to previously undiscovered logs or records or developing or future forensic technologies, logs records archived or purged may be recoverable.

Type of Log

Minimum Period of Readily Accessible Logging

 

From the time the record was generated

Maximum Period of Archival Logging (Overall Retention Period)

 

From the time the record was generated

Access Logs

180 days

365 days

System Logs

60 days

365 days

Network Logs

60 days

365 days

Security Logs

Automated alerting of possible security events by security systems:

90 days

 

Staff-created records of security events and incidents:

365 days

Automated alerting of possible security events by security systems:

365 days

 

Staff-created records of security events and incidents:

1 year (events not leading to incidents)

5 years or indefinite (incidents, law enforcement or legal requests, etc.)



Recommended Log Retention Periods for Vendor-Hosted Systems

In circumstances where Davidson contracts the operation of IT services to third parties (such as in the use of software as a service or SaaS solutions), T&I staff should inquire as to the logging practices of vendors during the initial contracting phase to understand any variance between Davidson guidelines and vendor practices.

For services where Davidson can configure log retention within a system, authorized Davidson T&I staff should work to mirror these guidelines to the extent possible.

Access to Log Files

Authorized Davidson staff may routinely access and use log files in accordance with their professional responsibilities, in line with the uses anticipated by the College Access to Electronic Communications Policy.

All requests from Davidson students, faculty and staff for log file access or information should follow the process documented in the College Access to Electronic Communications policy.

All requests from third parties, including requests from law enforcement agencies or legal subpoenas, must be reviewed by the Vice President and General Counsel to obtain authorization to proceed.

 

Last revised April 7, 2022