This happened during a fresh sync event after all rules were removed:

No, not normal... Can you describe more about the sequence of events? Was this part of a periodic sync or did you force a sync via santactl? If you used santactl, what flags did you use?

This is as a result of a forced sync via santactl. No flags were used, just santactl sync. This is version 2023.6

@eopeter can you give us any other context here (e.g. how santactl sync was invoked)? We've not seen anything like this to date.

Since 2022.4 santactl just sends an XPC message to the santasyncservice and no longer does the sync itself. This does however block until the XPC transaction can be completed, so that santactl can printout the status of sync e.g.

$  santactl sync
Preflight starting
Performing request, attempt 1 (of 5 maximum)...
Server Trust: /O=(null)/OU=(null)/CN=uberproxy.corp.google.com/SHA-1=XXXXXX
Client Trust: /O=XXXXXX/OU=Client Authority/CN=XXXX/SHA-1=X
Preflight complete
Event upload starting
Event upload complete
Rule download starting
Performing request, attempt 1 (of 5 maximum)...
Received 1 rules
Performing request, attempt 1 (of 5 maximum)...
Received 6 rules
Processed 7 rules
Rule download complete
Postflight starting
Performing request, attempt 1 (of 5 maximum)...
Postflight complete
Sync completed successfully

If you're unable to complete a sync but have something triggering santactl sync in the background you could potentially end up with many santactl instances blocked waiting to trigger a sync again.

We have a daemon that triggers santa sync periodically and on startup and it was failing. So when it respawn, it must have issues back to back sync. That can explain this.

It happend when it first started with no rules and had to download 10s of thousands of rules in batches of 100; so seems sync did not complete and the daemon respawning may have caused it to issue several santactl sync

Ok, so Santa itself seems to be working as intended.

I'm going to close this. Feel free to reopen if there's more to discuss.