Uncategorized

The CERT-In Log Retention Mandate: Is Your Firewall Compliant?

Hitesh Dharmdasani By Hitesh Dharmdasani April 5, 2026

A detailed guide with background, requirements, implications, and practical steps

In an era where cyber threats are rapidly increasing in scale and sophistication, governments around the world are tightening regulations to improve incident response and forensic readiness. In India, one of the most impactful regulatory shifts has come from the Indian Computer Emergency Response Team (CERT-In), the national agency charged with cyber security preparedness and response under the Information Technology Act, 2000. Wikipedia

Among the recent directives, the log retention mandate stands out as a foundational requirement that affects almost every organization running networked systems—including firewalls, servers, cloud platforms, and security infrastructure. Failing to comply isn’t just a security hygiene gap; it can lead to legal penalties and operational risks.

What Is the CERT-In Log Retention Mandate?

In April 2022, CERT-In issued mandatory directions under Section 70B of the Information Technology Act, 2000, which became effective after a prescribed period. These directions require covered entities to enable and retain system logs for a rolling period of at least 180 days (approximately six months) within Indian jurisdiction. Internet Society

These logs must be maintained in a secure, tamper-resistant manner and must be made available to CERT-In when reporting cyber incidents, or upon order from CERT-In during investigations or audits. TTA

Who Must Comply?

The mandate broadly applies to:

  • Service providers
  • Intermediaries
  • Data centers and cloud service providers
  • Virtual private server (VPS) and VPN service providers
  • Body corporates
  • Government organizations

…and, in effect, almost any organization that operates ICT (Information and Communication Technology) systems covered within India. Internet Society

Why Log Retention Matters

Logs are the forensic building blocks of cybersecurity. They record what happened, where, when, and by whom. In incident investigations—like breaches, ransomware attacks, data leaks, or suspicious access attempts—logs help answer questions such as:

  • Which user accessed what system and when?
  • Did a threat actor attempt lateral movement?
  • What sequence of events preceded the security incident?

Without properly retained logs, incident analysis is slow, incomplete, or even impossible.

CERT-In’s log retention mandate pushes organizations to adopt disciplined logging practices so that when a cyber incident occurs, evidence is readily available for analysis and reporting to national authorities.

Moreover, logs help in internal audit, threat hunting, compliance reporting, and in some cases, legal proceedings.

What Kind of Logs Are Required?

The mandate does not list every possible log type, but guidance and industry interpretations identify the kinds of logs that should be retained, including:

Security & network logs

  • Firewall logs
  • Intrusion Detection/Prevention System (IDS/IPS) logs
  • VPN gateway logs
  • Proxy server logs

System & application logs

  • Authentication and authorization events
  • Operating system event logs
  • Database access logs
  • Web server logs

Cloud and network infrastructure logs

  • Cloud control plane logs
  • Network flow logs
  • API access logs

The frequency and granularity of these logs should be sufficient to support forensic analysis and incident reporting. AM Legals

Log Retention Duration and Jurisdiction

The core requirement is simple:

Enable logs on all ICT systems and retain them securely for a minimum of 180 days. Internet Society

This includes logs from firewalls and other critical security devices.

Indian Jurisdiction

While some CERT-In FAQs have suggested flexibility (e.g., logs may be stored outside India if they can be produced on demand), many legal interpretations emphasize that logs should be retained within India or made available promptly upon request—especially when incident response or investigations are underway. saikrishnaassociates.com

This has important implications for global organizations serving Indian users: your logging infrastructure and retention policies must ensure logs are available in a timely manner within Indian jurisdiction.

Why Firewalls Matter in Log Retention

Firewalls are often the first line of defense—and one of the richest sources of security-relevant logs. They record:

  • Traffic allowed or denied
  • Source and destination IPs
  • Timestamps for every session
  • Protocols and ports used
  • Anomalies and blocked attack attempts

These logs are invaluable in investigating incidents and fulfilling CERT-In’s reporting obligations.

If your firewall isn’t logging the right events, or isn’t storing them for at least 180 days, you are likely non-compliant. Firewalls must be configured to generate and export logs to a secure log repository or centralized logging system with long-term retention.

Best Practices for CERT-In Compliance

Log Generation and Collection

Ensure all critical devices are capable of generating detailed logs. For firewalls, this usually means:

  • Session logs (allowed/blocked)
  • Threat prevention logs
  • Authentication and admin activity logs

Centralized Log Storage

Rather than storing logs only on devices (which are often rotated or overwritten), use a centralized log management infrastructure (e.g., SIEM or log lakes) that can:

  • Consolidate logs from firewalls and other sources
  • Store them securely for 180 days with integrity protections
  • Support quick retrieval when needed

Time Synchronization

Logs are useful only if timestamps are accurate. CERT-In directions also mandate synchronization with trusted clocks, such as NTP servers from:

  • National Informatics Centre (NIC)
  • National Physical Laboratory (NPL)

Accurate timestamps aid forensic analysis and help correlate logs across systems. Internet Society

Secure and Tamper-Resistant Storage

Logs must be stored in a way that prevents tampering or deletion. Techniques include:

  • Write Once Read Many (WORM) storage
  • Immutable storage tiers
  • Retention policies that automatically enforce data aging

Documentation and Audit Trails

Maintain documented policies for logging, retention, access controls, and incident reporting. During audits, you’ll need to show not only logs but also the policies that govern them.

How CERT-In Uses Logs

When a cyber incident is reported, CERT-In may require:

  • Logs from the impacted devices (including the firewall)
  • Correlation of activities across multiple systems
  • Incident timelines
  • Supporting artifacts like configuration snapshots or session traces

Providing complete and accurate logs can dramatically accelerate investigation and incident containment.

Compliance Challenges

Data Volume and Costs

Storing 180 days of logs—especially detailed firewall logs—can be storage intensive. Organizations must balance retention needs with infrastructure costs.

Privacy and Data Protection

Logs can contain sensitive user information. Organizations must ensure that log retention complies not only with CERT-In directives but also with applicable privacy regulations.

Multi-Cloud and Hybrid Networks

Many enterprises operate hybrid environments. Ensuring consistent logging and retention across on-premises firewalls, cloud workloads, and third-party services can be complex.

The Penalty for Non-Compliance

Non-compliance with CERT-In directives is not just a technical deficiency. Under the Information Technology Act, failing to comply with directions can lead to legal penalties, including fines and other enforcement measures, particularly if deficiencies impact incident response or undermine national cyber readiness. Ardent Privacy

Key Takeaways

  • CERT-In mandates the retention of logs for at least 180 days for all covered entities, including firewalls. Internet Society
  • Logs must be securely stored, preferably within Indian jurisdiction or made promptly available. saikrishnaassociates.com
  • Firewalls are essential log sources and must be configured for detailed logging and export.
  • Effective compliance requires centralized logging infrastructure, time-synchronization, tamper-resistant retention, and clear policies.

Preparing for audits and incident reporting now not only ensures regulatory compliance, but also strengthens your organization’s overall security posture and resilience.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.