Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
w
wtheaker
06/04/2020, 5:23 PMIs using file carving to collect logs from endpoints too much of a hack vs using a log aggregation tool like filebeat?
z
zwass
06/04/2020, 5:27 PMI would say yes
1️⃣ 1
I think it's going to be very tricky to implement that in a way that is reliable and doesn't introduce a ton of duplicates.
☝️ 1
You have many tools to reach for before that one:
1) built-in osquery logging plugins (AWS Kinesis/Firehose, Kafka, etc.)
2) TLS logging (built-in) to aggregate logs on a server and then use aggregation tools on that server.
2) Deploy aggregation to individual endpoints (as you describe)
w
wtheaker
06/04/2020, 5:50 PMI was thinking of using file carving to look at munki logs ad hoc
z
zwass
06/04/2020, 5:51 PMOh, you are not talking about osquery logs. In that case it seems much more reasonable. I'm not familiar with Munki logs... Possibly creating a table (in an extension?) that parses them could be useful.