GDPR-09 150 150 CloudGovCo

To meet GDPR privacy rules, the IETF suggests sysadmins adopt a data minimisation approach to configuring server logs:

  • Stores full IP addresses only for as long as needed to provide a service.
  • Includes only the first two octets of IPv4 addresses, or first three octets of IPv6 addresses.
  • Keeps inbound IP address logs for no longer than three days (covers weekends).
  • Does not log unnecessary identifiers – these include source port number, timestamps, transport protocol numbers, and destination port numbers.
  • Protects logs against unauthorised access.