Hi! There are two fields in ES message: global_seq_num and seq_num, which are described as a continuous number sequence unless the kernel is "dropping events" because "kernel generated more events than the client could handle." https://developer.apple.com/documentation/endpointsecurity/es_message_t/3684979-global_seq_num
https://developer.apple.com/documentation/endpointsecurity/es_message_t/3538607-seq_num
However, as we all know, system will kill ES client, if the message is not answered in (deadline) time.
I've a lot questions about this thing:
- What the "drop" actually is? The event is not provided to es client from the kernel?
- What does the "client could handle" means exactly? (I mean, es client will be already killed, if it can't respond to event in deadline)
- Are the dropped events responded by the system immediately, or they do wait something?
- Are only auth events could be dropped, or notify too?
- What is the system resolution for dropped auth events? (allow I guess)
- What I'm expected to do as a developer with these two fields - should I just log them and hope to find something out later, or can I react somehow during runtime if I met the break in *seq_num sequence?