Log retention is the policy and practice of keeping security-relevant logs for a defined period so they remain available for monitoring, investigation, and evidence needs.
Log retention is the policy and practice of keeping security-relevant logs for a defined period so they remain available for monitoring, investigation, and evidence needs. In plain language, it answers how long the organization keeps the records it may later need to understand what happened.
Log retention matters because investigations often happen after the original event. If identity, endpoint, application, or cloud logs disappear too soon, responders may lose the evidence needed to reconstruct an incident accurately.
It also matters because longer retention has costs and tradeoffs. Storage, privacy, legal obligations, and operational usefulness all influence how long different logs should be kept.
Log retention appears in Security Information and Event Management, Audit Log governance, cloud logging, incident preparation, and compliance review. Teams connect it to Forensics, Incident Response Plan, Cloud Forensics, Compliance Framework, and Risk Assessment.
Security teams use log-retention decisions to balance operational visibility with the cost and governance implications of storing large amounts of security data.
An organization keeps authentication and privileged-activity logs for a year because those records are important for investigations and audit evidence, while some lower-value operational logs are retained for a shorter period because they are less useful after the initial troubleshooting window passes.
Log retention is not the same as log collection. A team may collect a log today but still lose its value if retention rules remove it before an investigation begins.
It is also different from active monitoring. Monitoring focuses on using log data now. Retention focuses on preserving that data long enough to support later review, evidence, or compliance needs.