Submit feedback on
Excessive Retention of Audit Logs
We've received your feedback.
Thanks for reaching out!
Oops! Something went wrong while submitting the form.
Close
back arrow
Go back
Excessive Retention of Audit Logs
Jurian van Hoorn
Service Category
Storage
Cloud Provider
Azure
Service Name
Azure Blob Storage
Inefficiency Type
Over-Retention of Data
Explanation

Audit logs are often retained longer than necessary, especially in environments where the logging destination is not carefully selected. Projects that initially route SQL Audit Logs or other high-volume sources to LAW or Azure Storage may forget to revisit their retention strategy. Without policies in place, logs can accumulate unchecked—particularly problematic with SQL logs, which can generate significant volume. Lifecycle Management Policies in Azure Storage are a key tool for addressing this inefficiency but are often overlooked.

However, tier transitions are not always cost-saving. For example, in cases where log data consists of extremely large numbers of very small files (such as AKS audit logs across many pods), the transaction charges incurred when moving objects between storage tiers may exceed the potential savings from reduced storage rates. In these scenarios, it can be more cost-effective to retain logs in Hot tier until deletion, rather than moving them to lower-cost tiers first.

Detection

Identify resources with Audit Logging enabled

Determine whether logs are routed to Log Analytics Workspace or Azure Storage

Assess whether current retention aligns with compliance or operational needs

Evaluate volume and cost of logs retained beyond required periods

Review whether lifecycle policies or retention settings are currently configured

Check if any projects have a “set and forget” logging configuration that has never been reviewed

Remediation

Apply Azure Storage Lifecycle Management Policies to transition older logs to lower-cost tiers or delete them after a set retention period. Before implementing tier transitions, assess whether the additional transaction costs from moving large volumes of small log files could outweigh potential storage savings. In such cases, consider retaining logs in Hot tier until deletion if that results in lower overall cost.

For logs in Log Analytics Workspace, assess whether they can be moved to Basic tables or stored in Storage Accounts instead

Establish project-specific retention requirements with stakeholders and enforce them across all audit logging configurations

Periodically audit logging destinations and lifecycle settings to prevent silent cost creep

Relevant Billing Model

Storage costs accrue based on:

Volume of data stored per tier (Hot, Cool, Archive)

Duration retained (GB-months)

Log Analytics data stored in Analytics or Basic tables (charged per GB ingested and retained)

Audit logs routed to LAW or Storage will continue to generate cost until explicitly deleted or transitioned to a cheaper tier.

Detection
Remediation
Relevant Documentation
  • Azure Storage Lifecycle Management Overview
Submit Feedback
Powered by
Copyright © PointFive | All Rights Reserved 2025
Privacy Policy
Terms & Conditions
Cookie Policy
Cookies Preferences