Which records schedule covers IT system and user access logs, and how long are they kept?
In the U.S. federal government, IT system and user access logs are generally covered by the General Records Schedules (GRS) issued by the National Archives and Records Administration (NARA). These schedules give agencies government-wide authority to dispose of common administrative records, including many categories of information technology operations and security records, without writing their own custom schedule.
Which schedule applies
Logs that capture system activity, user access, authentication events, and similar audit data typically fall under the GRS coverage for information systems security records and information technology operations and maintenance records. NARA periodically updates and renumbers these schedules, so the exact GRS item that applies to a given log depends on its current version and on what the log actually documents.
Because the precise schedule item and citation can change between GRS revisions, the reliable approach is to confirm the current item directly through NARA’s GRS pages rather than relying on a remembered number.
How long logs are kept
Retention for routine access and audit logs is generally short — these are treated as temporary records and are commonly destroyed after a defined period (often measured in months to a few years) once their administrative and security value has passed. The specific period depends on:
- The type of log (e.g., routine system monitoring vs. records tied to a security incident).
- Litigation, investigation, or FOIA holds, which suspend destruction until released.
- Agency-specific requirements layered on top of the GRS baseline.
Logs connected to a security incident, breach investigation, or legal matter are usually retained longer than ordinary operational logs.
Practical guidance
To pin down the controlling schedule and retention period:
- Identify exactly what the log documents and the system that produces it.
- Check the current GRS for the matching information technology or security item.
- Confirm whether any agency schedule or active legal hold modifies the baseline.
- Document your disposition decision so destruction is defensible and auditable.
When in doubt, an agency records officer should verify the citation against the latest NARA schedules before any logs are destroyed.
For more background, see the federal records topic hub.
Sources & further reading
Authoritative government and non-profit references.
- General Records Schedules — National Archives (NARA)
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). Which records schedule covers IT system and user access logs, and how long are they kept?. Records Management University. https://www.recordsmgmt.org/questions/which-schedule-covers-it-system-and-access-logs-and-how-long-to-keep/
MLA
RM University Editorial. "Which records schedule covers IT system and user access logs, and how long are they kept?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/which-schedule-covers-it-system-and-access-logs-and-how-long-to-keep/.
Related questions
- Are records created by federal contractors considered federal records?
- Big-bucket vs item-level retention schedules: how do I decide which approach to use?
- Can a federal employee be personally fined or jailed for deleting government records?
- Can federal employees conduct official business on personal devices or apps?
- Can I delete old federal records to free up storage space when our shared drive gets full?