---
title: Log retention is not set
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Log retention is not set
---

# Log retention is not set

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `0461b4fd-21ef-4687-929e-484ee4796785`

**Cloud Provider:** Azure

**Platform:** Ansible

**Severity:** Medium

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html)

### Description{% #description %}

PostgreSQL servers must retain logs to support security incident investigation and satisfy audit and compliance requirements. Without log retention, attackers or misconfigurations may go undetected and forensic analysis is impeded.

In Ansible playbooks using the `azure.azcollection.azure_rm_postgresqlconfiguration` or `azure_rm_postgresqlconfiguration` modules, the configuration entry with `name: log_retention` must have `value: on` (case-insensitive). Tasks missing the `log_retention` configuration or with `value` not equal to `on` are flagged as insecure.

Secure Ansible example:

```yaml
- name: Ensure PostgreSQL log_retention is enabled
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: my-resource-group
    server_name: my-postgres-server
    name: log_retention
    value: on
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Update PostgreSQL Server setting
  azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_retention
    value: on
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: Update PostgreSQL Server setting
  azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_retention
    value: off
```