I was told by our implementor that Google SecOps pulls logs from a source API every 15 minutes, and if the source goes down or there is some issue with the API connection that prevents logs from being pulled, they are lost, and there is no way for Google SecOps to retrieve them after the connection is restored. This doesn't sound right to me. Is there a way to pull missed logs assuming the source still has them available?
Solved
Google SecOps Recovery from API outage
+1Best answer by cmmartin_google
This would depend on if it is a pull or push, and if the sender has any form of bookmark mechanism.
For pull based API integrations a bookmark mechanism is used, e.g, a datetimestamp, and post an outage collection is attempted from that point (assuming the source still has those logs available), until it catches up to now.
For push based API integrations, e.g. a WebHook, it's often a fire and forget approach from the sender and if the client (SecOps) isn't there to receive the logs are not sent, and only upon re-establishing a HTTP stream logs from that point on are received.
If you have specific integrations then a more detailed answer may be possible.
+11This would depend on if it is a pull or push, and if the sender has any form of bookmark mechanism.
For pull based API integrations a bookmark mechanism is used, e.g, a datetimestamp, and post an outage collection is attempted from that point (assuming the source still has those logs available), until it catches up to now.
For push based API integrations, e.g. a WebHook, it's often a fire and forget approach from the sender and if the client (SecOps) isn't there to receive the logs are not sent, and only upon re-establishing a HTTP stream logs from that point on are received.
If you have specific integrations then a more detailed answer may be possible.
+1This would depend on if it is a pull or push, and if the sender has any form of bookmark mechanism.
For pull based API integrations a bookmark mechanism is used, e.g, a datetimestamp, and post an outage collection is attempted from that point (assuming the source still has those logs available), until it catches up to now.
For push based API integrations, e.g. a WebHook, it's often a fire and forget approach from the sender and if the client (SecOps) isn't there to receive the logs are not sent, and only upon re-establishing a HTTP stream logs from that point on are received.
If you have specific integrations then a more detailed answer may be possible.
thanks i am facing similar issue
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.