santa
santa copied to clipboard
Logs vs Events sync
We would like to have the possibility to get all the santa decisions. It is my understanding that ALLOW_SCOPE
, ALLOW_BINARY
and ALLOW_CERTIFICATE
are not considered events, and will only be present in the logs.
If we configure santa to ship the logs — with upload_logs_url
in the preflight response — we would get all the decisions, but with less details, and we would need to parse the log format. And we would not get all the events anymore.
It is my understanding that ALLOW_SCOPE, ALLOW_BINARY and ALLOW_CERTIFICATE are not considered events, and will only be present in the logs.
That's correct, our reasoning is that we use logs to see what's happened on any given machine in our fleet and the events are really just to give our whitelisting server all the information we need to make good decisions about what to whitelist - if something is allowed we don't need to whitelist it.
However, I can understand why you might prefer to get all of Santa's events as they do contain more information than the log, currently. The complicating factor is that allow events are significantly more numerous than block/unknown events and I don't know what the performance impact of trying to upload all events would be. Other than that, I don't see why this would be a problem as a configurable option. I don't currently have any spare cycles to work on this though, so if you have feel free to have a crack at it, I'd be happy to review a PR. If not, we'll get to this as soon as we can.
And we would not get all the events anymore.
That's not quite right, the branch you linked to will go to log upload if there's a log upload URL instead of event upload, but the final call of log upload is event upload
However, I don't think receiving the logs via the log upload handler is a good way to go either - that path was generally intended for troubleshooting. It collects other logs as well as santa.log
Don't we handle this with the enable_all_event_upload
feature from #800?
Yes, we can see the ALLOW_CERTIFICATE
decision events for example when we set enable_all_event_upload
to true
in the preflight response. In Zentral, it can also be set to a % of the enrolled devices.
Marking this as resolved via #800.