Re: Retention of NAT translations and Connections

[Dave Koontz <dkoontz () MBC EDU>]

To me, "acceptable" is the lowest common denominator, not ideal.

I think you should first define a policy on the purpose of keeping such
log information, and publish it in your AUP.  Is it for monitoring
users, or is it for troubleshooting problems or issues?  I suspect most
of us fall into the latter, and for that purpose 30 days should be more
than adequate.  You also should consider a policy of what, if anything,
you do with that log information you collect and hold for whatever time
you determine.

My personal thought is that the more user information you log and store,
the more responsibility IT has should an issue arise.  After all, "it
was in your logs, why didn't you catch it and do something about it"

Just my two cents...  And I concur if you have any questions, work with
your legal team.

---
Dave Koontz
Mary Baldwin College


On 1/5/2012 6:08 PM, Nathaniel Hall wrote:
> IMHO, I would say it would be acceptable to keep the current semester
> logs plus the previous semesters.  Since most packages will use a
> rotation specified in weeks, I would probably say about 30 weeks of
> active logs.  You should also keep in mind that you can keep X number
> of weeks active and the remaining weeks archived on tape.  That will
> help you maintain disk space while keeping the logs available for
> needed situations.
>
> It is also important to consult with the schools legal council.  They
> may request a minimum or maximum of 30, 60, 90 days or more.
> --
> I am many things, but I am not a lawyer, accountant, or agent of the federal, state, or local government.
>
> Nathaniel Hall
>
> On 1/5/2012 4:12 PM, HOGGATT, ANDY F. wrote:
> > Greetings all,
> >
> >  
> >
> > We have been reviewing our current process for logging Internet use
> > of students/faculty/staff.  One aspect we've been debating is how
> > long to store the firewall logs for Internet use of our users.  This
> > includes building and teardown of connections, as well as NAT
> > translation records.  Our perimeter firewall generates a copious
> > amount of logs per day and we are trying to determine how long "long
> > enough" is.
> >
> >  
> >
> > Would anyone be willing to share their input as to how long they
> > store this type of information.  Any and all input is greatly
> > appreciated.
> >
> >  
> >
> > Thank You,
> >
> >  
> >
> > Andy Hoggatt
> >
> > Ozarks Technical Community College
> >
> > Network Security Systems Administrator
> >
> > hoggatta () otc edu <mailto:hoggatta () otc edu>
> >
> > 417.447.7535
> >
> >