I’m writing a script that reads syncthing’s --audit
logs and then sends me (by email) a regular digest on what file changes have been made. I’m running syncthing as a systemd service, and I’m writing the audit log to stdout (with --auditfile=-
), and then reading its messages using journalctl.
Looking at the audit log, I’ve settled on relying on “ItemFinished” type
messages to get my history of changes. Will these messages alone give me an authoritative history of all file changes?
And, looking at those “ItemFinished” type
messages, I notice that data
’s action
is only ever “update” or “delete”. That is to say, creating a new file (or directory) gets logged as a “update”. Why is this, and is there any other way (using the audit log) to distinguish a create operation from an update?
Thank you!