Best Practices - Log Retentions for legal purposes

The ISC suggests that companies fomulate policies on log files retention to meet various legal requirements like Sarbanes-Oxley, HIPAA, and other needs.  This could require storing seven years of detailed log file history (but hopefully using a compressed format and DLT tape backups in an organized manner.).   

http://isc.sans.org/diary.php?date=2005-03-22

Its a good idea to develop a log retention policy for your site. This should include what type of information is stored; for how long; online vs offline; and whether the data is confidential.  A good starting point would be to store compressed copies of your audit logs (syslog or event logs), firewall logs (network or host), and IDS logs (alert logs at a minimum. full packet trace retention would depend on the needs and requirements of your site) for at least 60 days.

A few of the legal requirements highlighted:

The Health Insurance Portability and Accountability Act (HIPAA) - Affects healthcare industry. Logs should be retained up to 6 years.

National Industrial Security Program Operating Manual (NISPOM) - Specifies log retention of at least one year.

The Sarbanes-Oxley Act (SOX) - Affects US Corporations. Specifies retaining audit logs for up to seven years.

VISA Cardholder Information Security Program (CISP) - Specifies retaining audit logs for at least six months.