Appendix C - Debug logs

There may be times the Snare Support team require logs or further information for investigation. The following information are helpful when lodging a case with Snare Support:

• The Snare configuration file at:
  • /etc/security/snare.conf
• The audit subsystem configuration files at:
  • /etc/security/audit_control
  • /etc/security/audit_class
  • /etc/security/audit_event
• The screenshot of the Audit Service Status page from the Agent's Web UI

To retrieve debug logs for Snare, use one of the following methods.

• Generating Debug Log from the Agent Web UI

• Navigate to the Agent Web UI > Snare Log page
• Select a directory to write to
• Select the duration of logging (1,5,10 or 15 minutes)
• Click Start Debug Log 
  the Snare Agent will write the debug log to a file for the selected period of time, without the need to restart the Agent. 
• The logging can be stopped earlier if needed by clicking Stop Debug Log 
• Attach the generated log file to your Snare Support case.

For more information see the Snare Log page.

• Generating Debug Log from command line

Ensure you start a command prompt as Administrator and navigate to the folder where Snare is installed, to retrieve the logs.

• Stop Snare agent by running the following command from the Terminal:

> sudo launchctl unload -w /Library/LaunchDaemons/com.intersectalliance.snare.agent.plist

Enter the machine's root password when prompted.

• • Generate the debug log by running the following command from the Terminal

> sudo /usr/local/bin/snarecore -d9 2>&1 | tee <mysnare.log>

Here <mysnare.log> is the name given to the debug log file.

• • Continue to use Snare until you have an error, or enough time for your events to be processed. When done, stop the agent by entering CTRL-C from the Terminal
  • Start Snare agent by running the following command from the Terminal:

> sudo launchctl load -w /Library/LaunchDaemons/com.intersectalliance.snare.agent.plist