AU-11 Audit Retention
Control: Retain audit logs for [Assignment: organization-defined time period] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
Illustrative Controls and TIBCO LogLogic Solution
Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications. The auditor can obtain valuable information about activity on a computer system from the audit trail. Audit trails improve the audit ability of the computer system.
Retaining audit trail history for a period of at least one year, with a minimum of 3 months available online, provides auditors and administrators a means to help accomplish several security-related objectives, including individual accountability, reconstruction of events (actions that happen on a computer system), intrusion detection, and problem analysis.
To satisfy this requirement, LogLogic LMI solution can simplify, automates, and reduces the cost of log data retention. ST appliances archive up to ten years of log data while eliminating the need for servers, tape libraries, and archive administrators. When used with TIBCO LogLogic’s LX appliances, the ST appliance also guarantees complete and accurate transmission of network equipment logs from anywhere on the enterprise WAN.
The ST appliances’ raw log data archives can also be extended indefinitely by connecting the ST 2000 to a Network Attached Storage infrastructure. Therefore there is not a maximum retention period: log data can be stored as long as required. To maximize storage, TIBCO LogLogic’s ST solution stores all raw log data in compressed text format with a compression ratio of 12:1. Extract the logs from the ST’s easy-to-use UI without any impact to the collection and processing of raw log data.