Audit Log Retention

Audit logs and retention. The policy.

Hot 90 days

Audit log retention is one of those compliance topics where the right answer depends on what you do with the logs and how often. Most teams either over-invest by keeping everything in expensive hot storage indefinitely or under-invest by retaining logs only as long as it takes for the next compliance audit cycle. The right approach is a tiered retention model that matches storage cost to access pattern.

What the hot tier is for:

• Queryable from dashboard.: Recent logs are in fast, indexed storage. The team can query them via the observability dashboard, with sub-second response times. Active investigations work against this tier; the speed is what makes the tier worth its cost.
• For active investigation.: Incident response, security event investigation, customer support escalations. Each requires fast access to recent logs. The investigation cycle is hours or days; the logs must be queryable within that window without operational friction.
• 90 days is typical.: Most teams retain hot 60 to 90 days. The window covers the routine investigation needs without paying for hot-storage retention beyond active use. Investigations that need older logs accept slower access.
• Per-source retention.: Different log sources may have different hot windows. Application audit logs hot for 90 days; cloud audit logs hot for 30 days; access logs hot for 14 days. The retention matches the source's typical investigation latency.
• Indexed for query.: The hot tier is fully indexed by the relevant fields. Filtering by user, time, action, and resource is fast. The cost of indexing is part of the hot-storage premium; the speed is the reason to pay it.

The hot tier is the operational tier. It is expensive per byte but the cost is bounded by the retention window.

Warm 1 year

The middle tier is warm storage: queryable but slower, retained longer, less expensive per byte. The tier covers compliance needs and longer-tail investigations without the hot tier's cost.

• Queryable via API.: Logs in the warm tier can be queried but typically with longer response times (minutes rather than seconds). The query interface may be different from the live dashboard; some manual ETL may be required. The trade-off is acceptable for the access pattern.
• For periodic compliance.: Quarterly access reviews. SOC 2 audits. Customer security questionnaires. Each requires log access but not in-flight; the warm tier serves the purpose.
• 1 year is typical.: The warm tier covers the rolling 12-month window that most compliance frameworks expect. The team can demonstrate logs from 11 months ago without rehydrating from cold storage.
• Cheaper than hot.: Warm storage is typically 1/3 to 1/10 the cost of hot. The savings on a year of log volume is significant. The trade-off is the slower access; for the warm tier's use cases, the slower access is acceptable.
• Less indexing.: Warm tiers typically have less indexing. Field-level filters that work on the hot tier may require full-text search on the warm. The query approach is different; the team learns when to use which.

The warm tier is the compliance tier. It absorbs most of the audit and review workload at a much lower cost than the hot tier.

Cold 7 years

The cold tier is for long-term retention. Object storage at the lowest cost per byte. Access is slow and possibly batched; the tier is for cases where the logs need to exist but rarely need to be accessed.

• Object storage at minimum cost.: S3 Glacier, GCS Coldline, Azure Archive. Each is the cheapest storage tier on the cloud. Per-byte cost is dramatically lower than hot or warm tiers; the retention can be very long.
• SOC 2 minimum is 6 to 7 years.: Compliance frameworks have specific retention requirements. SOC 2 expects at least 6 years for some control evidence; HIPAA requires 6 years for protected health information access logs; PCI DSS requires 1 year hot plus 3 years archive. The cold tier covers these durations.
• Longer for regulated industries.: Some industries have longer retention requirements. Financial services often retains for 7 to 10 years; healthcare for 6 years from creation; some regulatory frameworks require 25+ years. The cold tier scales to these.
• Slow access by design.: Retrieving from the cold tier may take hours. The tier is for legal investigations, regulatory audits, post-breach forensics. The response timeline matches the access timeline.
• Tamper-evident retention.: The cold tier uses object lock or equivalent to prevent modification after write. The integrity of the archive is the property that makes it useful for legal and forensic purposes.

The tiered retention model produces compliance-ready audit logs at the right cost. Nova AI Ops integrates with the cloud storage tiers, surfaces the retention status across log sources, and produces the audit reports compliance frameworks expect.