Is using file carving to collect logs from endpoints too muc

Question

Is using file carving to collect logs from endpoints too much of a hack vs using a log aggregation tool like filebeat

zwass · Answer

I would say yes

zwass · Answer

I think it s going to be very tricky to implement that in a way that is reliable and doesn t introduce a ton of duplicates

zwass · Answer

You have many tools to reach for before that one 1 built in osquery logging plugins AWS Kinesis Firehose Kafka etc 2 TLS logging built in to aggregate logs on a server and then use aggregation tools on that server 2 Deploy aggregation to individual endpoints as you describe

wtheaker · Answer

I was thinking of using file carving to look at munki logs ad hoc

zwass · Answer

Oh you are not talking about osquery logs In that case it seems much more reasonable I m not familiar with Munki logs Possibly creating a table in an extension that parses them could be useful