Audit log retention policy

Proper audit log retention policies are a crucial component of any effective cybersecurity strategy. They provide a comprehensive record of all activities that occur within a system, including user actions, system events, and changes to critical data. By retaining audit logs for a set period of time, Sitecore can meet regulatory requirements, support incident investigations, and maintain an audit trail for compliance and accountability purposes. Properly balancing the retention policies of these events is important to ensure the availability of information while avoiding information overload and data privacy concerns.

Warning

To maintain infrastructure stability, we might remove high volume event audits from the application at our discretion. In such cases, we retain these logs and make them available to the customer until the applicable retention period ends.

Retention policies

The following retention policies apply to how Sitecore handles Sitecore Content Hub data:

  • Online retention: data is available through Content Hub search, reporting, or API.

  • Offline retention: data is not available through Content Hub search, reporting, or API, but can be made available for download through a service request.

  • Expired data: once the retention period ends, the data may be permanently deleted. To keep the data beyond this period, you must request and store it securely before it is deleted.

Retention policy for production environments

The following retention policy applies to production environments:

Audit log category

Online retention time

Offline retention time

User or security events

2 years

7 years

Audit events

2 years

7 years

Operational logs

3 months

N/A

Retention policy for non-production environments

The following retention policy applies to non-production environments (which are customer QA or test environments):

Audit log category

Online retention time

Offline retention time

User or security events

3 months

2 years

Audit events

3 months

N/A

Operational logs

1 month

N/A

Event logging categories

All logging events are separated into three categories: user or security events, audit events, and operational logs.

User or security events

These events include login attempts, password changes, and other activities related to user authentication and authorization. They are critical for cybersecurity compliance.

User or security events: user.account.created, user.account.emailblacklisted, user.account.emailconfirmation, user.account.modified, user.account.notcreated, user.activated, user.changepassword.completed, user.created, user.deleted, user.impersonated, user.lockedout, user.login.failed, user.login.notassociated, user.login.success, user.logout, user.modified, user.passwordreset, user.passwordreset.completed, user.restricted, usergroup.created, usergroup.deleted, usergroup.modified, privileges.added, privileges.removed, user.notfound.

Audit events

These events include any changes made by users to the data in the system. They can be used for entity change tracking as well as user and asset activity reporting.

Audit events: asset.approved, asset.conversion.completed, asset.download.completed, asset.rejected, asset.rework, asset.stream.started, block.created, block.started, block.finished, fragment.approved, fragment.rejected, fragment.rework, lifecycle.approved, lifecycle.archived, lifecycle.assetdeleted, lifecycle.created, lifecycle.directpublished, lifecycle.rejected, lifecycle.restored, lifecycle.submitted, task.accepted, task.assigned, task.completed, order.download.completed, order.package.created, lifecycle.softassetdeleted, lifecycle.restoredfromdelete, block.reset, asset.created, fragment.created, Original Updated (Raw), EntityUpdated (Raw - excluding internal entities), EntityCreated (Raw - excluding internal entities), EntityDefinitionCreated (Raw), EntityDefinitionUpdated (Raw), EntityDefinitionDeleted (Raw), EntityDeleted (Raw), PolicyDeleted (Raw), EntityForciblyUpdated (Raw), PolicySaved (Raw).

Operational logs

These logs include all activities that do not relate to an entity or asset change. They can be used for troubleshooting or activity follow-up, but this data quickly loses its value after a short amount of time. Any entity updates on internal entities (such as M.Job, M.Agent, M.JobDescription, M.Target, M.AgentActivity) are also considered operational logs.

Operational logs: chili.highres.pdfprintrequested, chili.lowres.pdfprintrequested, gatewaydownload.completed, notification.confirmaccount, notification.discussioncreated, notification.discussionmodified, notification.forgotpassword, notification.ordercompleted, notification.orderfailed, notification.orderpartiallyfailed, notification.propertyupdated, notification.renditioncompleted, notification.reportinglogordercompleted, notification.reportinglogorderfailed, notification.searchchanged, notification.taskcreated, notification.taskdeclined, notification.taskdone, notification.userauditlogordercompleted, notification.userauditlogorderfailed, user.account.scripting.exception, publiclink.selected, connector.synced, Script Executed (Raw), Script Telemetry (Raw), Trigger Executed (Raw), Action Executed (Raw), Original downloadoriginalcompleted (Raw), original gatewaydownloadcompleted (Raw), original downloadpreviewcompleted (Raw), downloadordercompleted (Raw), DirectDownloadCompleted (Raw), {qualityresolutionName}.{generatetype}PrintRequested (Raw), GatewayDownloadCompleted (Raw), {rendition}completed (Raw).

Last updated: February 8, 2024

Do you have some feedback for us?

If you have suggestions for improving this article,