Snare Linux Agent trouble shooting
This page helps to cover some potential issues a system can have after or installing the Snare Linux agent.
On some RHEL and Centos platforms the agent may appear to not to start. This could be caused from a number of problems.
auditd was not installed, this should show some error messages on the console during the installation process. For this then install the auditd package on the system “yum install audit”. Then reinstall the agent.
check the /var/log/messages log file for any error messages after the installation or agent restart.
check the agent process is running “ps -aef|grep -i snaredispatch” you should see the process. 00:00:01 /usr/sbin/SnareDispatchHelper
check for the webport “netstat -na |grep -i 6161” the webport should be available and running
tcp 0 0 0.0.0.0:6161 0.0.0.0:* LISTEN
If there are errors relating to the web server certificate and it can not create the pem file then it maybe due to the installation missing either some symbolic links in /etc/ssl there should be 2 directories certs and private. For some reason some RHEL and Centos installs can be missing the private directory link. The agent does have a fall back to use /usr/local/ssl with certs and private in that location but they have to exist when the agent restarts.
lrwxrwxrwx 1 root root 16 Sep 14 21:00 certs -> ../pki/tls/certs
lrwxrwxrwx 1 root root 20 Sep 30 02:27 private -> /etc/pki/tls/privatethe missing private link can be corrected using “sudo ln -s /etc/pki/tls/private /etc/ssl/private”
Some workarounds for this can be to add in the symbolic link to the location or make some directories in this location:
as root run the following
sudo mkdir /usr/local/ssl/certs
sudo mkdir /usr/local/ssl/private
then restart the agent via auditd “service auditd restart”
the errors in the messages file should no longer be present and the agent webui should be running, login to the change, change the password and update the policy as needed.