[mlosapio]

OpenBSM is awesome except you’re forced to invent your own way of log gathering - which becomes more painful when you’re mobile or offline and then you’ve got to keep state on what’s been transmitted to the mothership.

Would be nice for some insight into Dropbox’s solution here...

[antoncohen]

To address logging offline you need a log shipper that will do reliable logging and pick of where it left off. I think rsyslog, Elastic Beats, and Splunk forwarder will all do that. Then logs are sent when a machine connects to a network.

For mobile (online but outside corporate network) there are two options I've heard of being done:

1. Have each endpoint have a unique TLS certificate, and have the log shipper do mutual TLS to the logging server which has a public IP.

2. Have a backhaul VPN that is allows connected, automatically, to the monitoring network, and send the logs over that. That VPN is different than the user VPN that gives access to the corporate network.

[Khaine]

Yes, but to get BSM into Elastic Beats, you either need to make a shim to convert from BSM binary format into json for FileBeat to consume, or you need to write your own Beats for BSM files.