"Retain transaction logs for 12 months" as a customer requirement?

  • Anyone else seen this? It's in a risk assessment doc that we've been responding to for a prospective customer (the added "durr" is my edit!);

    For applications that use a database, the service will have transaction logging enabled (durr...) and retain transaction logs for a minimum of 12 months

    I've tried arguing it with them, but they're not moving and they can't explain what the specific technical / process / audit requirement is.
    Surely they can't mean that we backup the database once and then let the transaction log build for a year? Otherwise, how would you retain an actionable transaction logs for that period?

    My assumption is that what they need is auditing, and somebody has told them that transaction logs are the Best Way(tm) to achieve this.

    Anybody else had this demand, or have an alternative view on what they really want?

  • Discourse touched me in a no-no place

    @skotl said in "Retain transaction logs for 12 months" as a customer requirement?:

    Anybody else had this demand, or have an alternative view on what they really want?

    They want a file containing a record for each transaction that the system processes (that they are permitted to see) that is retained for a year. Is that notion of “transaction” the same as that used by the DB itself? No idea at all.

  • @skotl Is this from a European government or semigovernment institution? Because in that case they may just want you to be provider X.

  • @skotl When they say "transaction" do they mean database transaction? Or business transaction that happens to use the database?

    If the latter, you can just build history tables and you're set.

    But the first step here is to clear-up the terminology. In IT, "transaction" can mean everything from the NTFS journaling, to a database transaction, to "buying a new car".

  • Discourse touched me in a no-no place

    @blakeyrat If the former, RUN.

  • It's a US company and they very specifically state "database transaction log".
    Even if that were technically possible (we use Azure SQL and it definitely isn't!) then, as far as I can see, it's horrendously dumb idea.

  • @skotl If they're so concerned with keeping all their data history, why are they hosting it with a disinterested third-party? It makes no sense to ask that question and also be perfectly fine and dandy with using Azure SQL to store the data.

  • @blakeyrat Wouldn't disagree.
    I still think that what they want is audit records, which is fine, and some twat has persuaded them that audit == transaction == audit;

  • This reminds me about when Alex talked about the customer wanting "a new database every day."

Log in to reply

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.