Hello, I need to monitor the device for an activity that is not supported by ES framework. I can reliably monitor it using correct filters with log stream, for example sudo log stream --info --style compact --predicate 'category = "X"' But I need to provide that functionality through my application. Because of that, I made an instance of a log store, hoping I will be able to retrieve the necessary informations that way. The problem is that the messages are sometimes appearing and sometimes not. The log level I am interested in is info, which according to the docs The system stores info-level messages in memory buffers and, without a configuration change, purges the oldest messages as those buffers fill up. If I understand that correctly, the info messages are being written to the buffer and not the store, only sometimes reaching it. But also that should be modifiable with a configuration change? How could I make such change to always save info logs to the store and retrieve them?

I'm writing ES client, as part of that I want to monitor when an user is being added/removed to/from a group. From my understanding I should be able to get the name of the user with msg->event.od_group_remove->member->member_value.name.data but it looks like this field gets populated randomly. I will trigger similiar event a couple of times, for example adding user to a group and on one occasion this will hold value, on another it will be empty. I also tried to check different fields, and surprisingly od_create_user->user_name holds the name of the group I am editing, not the name of the user I am adding to the group (but I'm not sure if it should even be engaged at this point). Am I missing something? Is there a workaround? Or is this a bug?

Hello, I am writing an Endpoint Security Client application that is supposed to monitor file creation/writing/deletion. It works fine except for one thing - it doesn't pick up changes to the cron jobs file. I am monitoring directory that stores cron job config file and if I would add/delete/write to any new file manually (using for example vim) it will be picked up on by the ES client (yes I know cron files are not meant to be edited manually). But if I want to make changes with command crontab -e then although the contents of the file change, ES client is not sending a notification about it. Any ideas why? Is the mechanism responsible different than just file writing?