Appendix C - Debug logs
There may be times the Snare Support team require logs or further information for investigation. The following information is helpful when lodging a case with Snare Support Team.
- Audit logs at
- /var/log/audit
- The Snare configuration file at
- /etc/audit/snare.conf
- The audit configuration file at
- /etc/audit/auditd.conf
- The audit rules file at
- /etc/audit/audit.rules
- The screenshot of the Audit Service Status on the agent UI
To retrieve debug logs for Snare, use one of the following methods.
- Generating Debug Log from the Agent Web UI
This is the recommended method, available from Snare Agent version 5.6.0
- Navigate to the Agent Web UI > Snare Log page
- Select a directory to write to
- Select the duration of logging (1,5,10 or 15 minutes)
- Click Start Debug Log
the Snare Agent will write the debug log to a file for the selected period of time, without the need to restart the Agent. - The logging can be stopped earlier if needed by clicking Stop Debug Log
- Attach the generated log file to your Snare Support case.
For more information see the Snare Log page.
Detailed guide
- In Snare Agent Web GUI, go to HeartBeat & Agent Log Configuration page
- From Agent Logging Options drop down menu, select Trace
- From Agent Heartbeat Frequency drop down menu, select Custom and enter the frequency value in minutes e.g., 1 minutes
- Click Change Configuration button to apply the settings
- In Snare Agent Web GUI, go to Destination Configuration page
- Add a File Destination, such as, snare_debug.txt
- Click Update Destinations to apply the settings
- Click Apply Configuration & Restart Service to start the agent with the updated configurations
- Then, the debug logs can be found in the file specified in step 6. Note that the debug logs will be written as AgentHeartBeat messages to the file destination at a frequency specified in step 3
- After running the agent enough time in debug mode, put the agent in normal mode as follows:
- In Snare Agent Web GUI, go to HeartBeat & Agent Log Configuration page
- From Agent Logging Options drop down menu, select Info
- From Agent Heartbeat Frequency drop down menu, select Disabled
- Click Change Configuration button to apply the settings
- In Snare Agent Web GUI, go to Destination Configuration page
- Remove the File Destination
- Click Update Destinations to apply the settings
- Click Apply Configuration & Restart Service to start the agent with the updated configurations
- Generating Debug Log from command line
In case Agent Web UI is disabled, the Agent version is earlier than 5.6.0, or Support has explicitly requested to generate the debug log for longer period of time, please use the following instructions
Depending on the version of the agent and Linux auditd version please use the below relevent command:
For audit v3
/usr/sbin/SnareAgentPlugin -d9 2>&1 | tee debug.log
For audit v2
/usr/sbin/SnareDispatchHelper -d9 2>&1 | tee debug.log
Once the above has been run, the debug.log will be found in the directory the command was ran in, using your prefered method e.g. winscp export the log and attach it to the support case if requested.