You have many tools to reach for before that one:1) built-in osquery logging plugins (AWS Kinesis/Firehose, Kafka, etc.)
2) TLS logging (built-in) to aggregate logs on a server and then use aggregation tools on that server.
2) Deploy aggregation to individual endpoints (as you describe)
06/04/2020, 5:50 PM
I was thinking of using file carving to look at munki logs ad hoc
06/04/2020, 5:51 PM
Oh, you are not talking about osquery logs. In that case it seems much more reasonable. I'm not familiar with Munki logs... Possibly creating a table (in an extension?) that parses them could be useful.