Log retention defines how long logs must be kept. Compliance drivers: PCI DSS (1 year), HIPAA (6 years), SOX (7 years), GDPR (as long as necessary).
Incident investigations often require logs from 30-90 days ago. A 1-year minimum is a safe default. Hot storage (recent, fast) → warm storage (months, slower) → cold storage (archival, slowest/cheapest) tiers manage costs.