Interpreting `--audit` log messages

I’m writing a script that reads syncthing’s --audit logs and then sends me (by email) a regular digest on what file changes have been made. I’m running syncthing as a systemd service, and I’m writing the audit log to stdout (with --auditfile=-), and then reading its messages using journalctl.

Looking at the audit log, I’ve settled on relying on “ItemFinished” type messages to get my history of changes. Will these messages alone give me an authoritative history of all file changes?

And, looking at those “ItemFinished” type messages, I notice that data’s action is only ever “update” or “delete”. That is to say, creating a new file (or directory) gets logged as a “update”. Why is this, and is there any other way (using the audit log) to distinguish a create operation from an update?

Thank you!

1 Like

That sounds about right and, no, there is currently no way to differentiate between an update that created a file and an update that just changed an existing file.

1 Like