Logs vs Events sync #210
Comments
That's correct, our reasoning is that we use logs to see what's happened on any given machine in our fleet and the events are really just to give our whitelisting server all the information we need to make good decisions about what to whitelist - if something is allowed we don't need to whitelist it. However, I can understand why you might prefer to get all of Santa's events as they do contain more information than the log, currently. The complicating factor is that allow events are significantly more numerous than block/unknown events and I don't know what the performance impact of trying to upload all events would be. Other than that, I don't see why this would be a problem as a configurable option. I don't currently have any spare cycles to work on this though, so if you have feel free to have a crack at it, I'd be happy to review a PR. If not, we'll get to this as soon as we can.
That's not quite right, the branch you linked to will go to log upload if there's a log upload URL instead of event upload, but the final call of log upload is event upload However, I don't think receiving the logs via the log upload handler is a good way to go either - that path was generally intended for troubleshooting. It collects other logs as well as santa.log |
|
Don't we handle this with the |
|
Yes, we can see the |
|
Marking this as resolved via #800. |
We would like to have the possibility to get all the santa decisions. It is my understanding that
ALLOW_SCOPE,ALLOW_BINARYandALLOW_CERTIFICATEare not considered events, and will only be present in the logs.If we configure santa to ship the logs — with
upload_logs_urlin the preflight response — we would get all the decisions, but with less details, and we would need to parse the log format. And we would not get all the events anymore.The text was updated successfully, but these errors were encountered: