MON-005 recommended general

Log retention policy

Log retention is configured with minimum 2 weeks. Retention policy is documented. Consistent across systems.

Question to ask

"How far back can you investigate an incident?"

Related items

Section 37 Section 38

Verification guide

Severity: Recommended

Check automatically:

  1. CloudWatch log retention:

    # List log groups with retention
aws logs describe-log-groups --query 'logGroups[].{name:logGroupName,retentionDays:retentionInDays}'

# Flag any with retention < 14 days
aws logs describe-log-groups --query 'logGroups[?retentionInDays < `14`].{name:logGroupName,retention:retentionInDays}'

  2. GCP log retention:

    # Check log bucket retention
gcloud logging buckets list --format='json' | jq '.[] | {name: .name, retentionDays: .retentionDays}'

  3. Elasticsearch/OpenSearch ILM:

    # Check index lifecycle policies
curl -s localhost:9200/_ilm/policy | jq 'to_entries[] | {policy: .key, delete_after: .value.policy.phases.delete.min_age}'

  4. Application log rotation:

    # Check logrotate config
cat /etc/logrotate.d/* 2>/dev/null | grep -E "rotate|maxage"

# Check for log retention in app config
grep -riE "retention|rotate|max.?age|keep.?days" . --include="*.yml" --include="*.yaml" --include="*.json" 2>/dev/null | grep -i log

Ask user if retention not found: "Could not automatically determine log retention settings.

Please provide:

  1. Where are logs stored? (CloudWatch, GCP Logging, Elasticsearch, files, etc.)
  2. What is the retention period?
  3. Is retention at least 2 weeks?

Note: Minimum 2 weeks retention required for adequate debugging capability."

Cross-reference with:

  • Section 37 (GDPR & Privacy) - retention may have legal requirements
  • Section 38 (Cost Monitoring) - excessive retention increases storage costs

Pass criteria:

  • Log retention is configured (not infinite/undefined)
  • Retention is at least 2 weeks (14 days)
  • Retention policy is documented

Fail criteria:

  • Log retention not configured (logs deleted too quickly or kept forever)
  • Retention less than 2 weeks
  • Different systems have inconsistent retention
  • No documentation of retention policy

Evidence to capture:

  • Log storage system(s)
  • Retention period per system
  • Retention policy documentation location
  • Any compliance requirements affecting retention

Section

12. Monitoring

Observability

← Previous

MON-004

HTTP error alerting

 Next →

MON-006

Status pages and downtime alerts