Log retention is the practice of keeping security and system logs for a defined period so investigators can reconstruct events after an incident. Logs may include authentication records, DNS queries, web server access, EDR alerts, cloud audit trails, and firewall events. Retention matters because many attacks are only visible in hindsight: an attacker may delete tools, rotate accounts, or leave a system days before detection, but the logs can still show how access was gained, what was touched, and whether data moved out of the environment.
In real defenses, good retention supports triage, containment, legal review, and recovery. It also helps distinguish a true compromise from a false claim or routine failure. If logs are overwritten too quickly, defenders lose evidence of initial access, lateral movement, privilege escalation, and exfiltration. Effective programs set retention periods based on risk, store logs centrally, protect them from tampering, and ensure time synchronization so records can be correlated across systems.