Note

Muting only has affect on audit logs.
For the config modifications to take effect, you need to reload the extension.

Muting processes

Process execution events generate a large volume of audit logs, thus logga supports muting certain processes which are known to be noisy.

Example configuration:

auditLogger:
  muting:
    inverted: false
    targets:
      - path: /usr/bin/xcodebuild
        type: prefix
      - path: /usr/sbin/ioreg
        type: literal
# Rest of the configuration file is omitted

The above example will suppress target paths (/usr/bin/xcodebuild and /usr/sbin/ioreg) from emitting execution events, resulting in no logs persisted for them, but still persisting each and every other process executions.

In other words: /Library/Application Support/Logga/audit.log file will store logs from each and every process executions, except from /usr/bin/xcodebuild and /usr/sbin/ioreg.

Inverse muting

Sometimes muting individual processes is not sufficient. The technique called inversion lets you to mute all processes, and persist logs exclusively from "allowlisted" processes.

Example configuration:

auditLogger:
  muting:
    inverted: true
    targets:
      - path: /usr/bin/vim
        type: literal
# Rest of the configuration file is omitted

The above example will mute each and every process execution events, except from /usr/bin/vim.
It means, that the /Library/Application Support/Logga/audit.log file will only store audit logs from vim executions.

This can be handy, if you are interested in collecting audit logs about only a few exclusive process executions.