There may be times the Snare Support team require logs or further information for investigation. The following information are helpful when lodging a case with Snare Support:
- The Snare configuration file at:
- /etc/security/snare.conf
- The audit subsystem configuration files at:
- /etc/security/audit_control
- /etc/security/audit_class
- /etc/security/audit_event
- The screenshot of the Audit Service Status page from the Agent's Web UI
The debug log file can be generated using following two methods.
- Generating Debug Log from the Agent Web UI
This is the recommended method, available from Snare Agent version 5.6.0
Snare v5.6; where Snare can be configured to generate the debug log at run time. For more informaiton see the Snare Log page.
- Generating Debug Log from command line
In case Agent Web UI is disabled, the Agent version is earlier than 5.6.0, or Support has explicitly requested to generate the debug log for longer period of time, please use the following instructions
- Stop Snare agent by running the following command from the Terminal:
> sudo launchctl unload -w /Library/LaunchDaemons/com.intersectalliance.snare.agent.plist
Enter the machine's root password when prompted.
- Generate the debug log by running the following command from the Terminal
> sudo /usr/local/bin/snarecore -d9 2>&1 | tee <mysnare.log>
Here <mysnare.log> is the name given to the debug log file.
- Continue to use Snare until you have an error, or enough time for your events to be processed. When done, stop the agent by entering CTRL-C from the Terminal
- Start Snare agent by running the following command from the Terminal:
> sudo launchctl load -w /Library/LaunchDaemons/com.intersectalliance.snare.agent.plist