There may be times the Snare Support team require logs or further information for investigation. The following information are helpful when lodging a case with Snare Support:
- The Snare configuration file at:
- /etc/security/snare.conf
- The audit subsystem configuration files at:
- /etc/security/audit_control
- /etc/security/audit_class
- /etc/security/audit_event
- The screenshot of the Audit Service Status page from the Agent's Web UI
- The debug log file generated as follow:
- Stop Snare agent by running the following command from the Terminal:
| Code Block |
|---|
> sudo launchctl unload -w /Library/LaunchDaemons/com.intersectalliance.snare.agent.plist |
Enter the machine's root password when prompted.
- Generate the debug log by running the following command from the Terminal
| Code Block |
|---|
> sudo /usr/local/bin/snarecore -d9 2>&1 | tee <mysnare.log> |
...
- Continue to use Snare until you have an error, or enough time for your events to be processed. When done, stop the agent by entering CTRL-C from the Terminal
- Start Snare agent by running the following command from the Terminal:
| Code Block |
|---|
> sudo launchctl load -w /Library/LaunchDaemons/com.intersectalliance.snare.agent.plist |
...
A new feature is added from Snare v5.6; where Snare can be configured to generate the debug log at run time time. For more informaiton see the Snare Log page.
...