Event log storage regulations/requirements from firewalls?

[Ravi Malghan <rmalghan () yahoo com>]

Hello Security experts: I have configured a number of firewalls to send their logs to a central SEMS (security event 
management system). The data is stored in a oracle database.

A requirement I have to meet is storing the raw events in a log file on a daily basis and making it available to 
manager/legal if necessary. There are some firewalls which have been configured to send anything and everything. So a 
simple query to the database requesting all events for previous day takes a long time (upto 50 minutes). I saw this 
query returning about 3079853 records. We do not have a requirement definition that explains what needs to be logged. 

So my questions are the following
1. are there any regulations that outline what specifically should be logged and what can be ignored from firewalls? I 
am assuming there are different specifications for federal and commercial environments.
2. If any security admins in this group have been able to define this, could you please share some high level info. 
Like what type of events should be stored, what can be ignored, how many days have you stored them for etc?

thanks
Ravi



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------