Snare Enterprise Agent for macOS configures the macOS audit sub-system to generate events of interest and extracts events that match additional filtering criteria from the operating system, as configured in objectives. The format of macOS audit events is discussed in /wiki/spaces/MACV5/pages/141296515. Snare Agent is also capable of collecting events from any text-based log files, as well as generating File Integrity Monitoring (FIM) events.
Snare allows to format events into different standard formats suited to follow-on processing, and deliver them to one or more remote systems over the network.
Snare also provides a Web User Interface (Web UI), which allows administrators to remotely control which events are collected and reported. This interface also provides information on users, groups, and group membership on the local machine, which can be used to satisfy various regulatory compliance requirements.