There are higher level questions that must be asked first.

What are the requirements of the system?
What is your standard logging architecture?
What has your organization decided is an acceptable level of logging?

Approaching this from the bottom up instead of the top down is a bad idea. Also, picking arbitrary intervals because they sound good or extra secure is also not a good approach. You can waste a lot of resources which could be used elsewhere. An example of this would be having a 24x7 armed guard watch your garbage cans down by the curb. Sure, you may have placed something in the garbage that is sensative but you're not going to have an armed guard there to protect against a dumpster diver.

So, figure out what the higher level requirements are (your security policy isn't where you find this by the way, it should be in your standards or other supporting documentation) and then apply those to this system.

So in the end, no one here can decide what the proper logging inteval is for you. If you are still unsure, you need to do a risk analysis and assessment. This can be performed by a third party and may be beneficial in your case if you're struggling with this issue.


--TH13