santa icon indicating copy to clipboard operation
santa copied to clipboard
verified publisher icon google

Document differences between events for sync servers and telemetry

Open mlw opened this issue 1 year ago • 1 comments

We should be explicit about how Santa is designed to interact with sync servers. This interaction is focused on enabling delivery of updated rules and configuration to clients. Logs/telemetry is separate and not currently intended to be streamed to the sync server.

mlw avatar Apr 11 '24 15:04 mlw

My $0.02 is to add the following definition:

  • Events are specific things we want the user / sync service to approve
  • Logs are Santa's official record of what it observed and how it responded.

This means that anything we call anEvents is to be managed by the sync service. Logs on the other hand can be ingested by any logging system, SIEM or whatever. A sync service may use logs e.g. to figure out which rules are actually in use but aren't explicitly required.

Thoughts?

pmarkowsky avatar May 23 '24 02:05 pmarkowsky