Switches and their uses:

-f (follow child processes) Without this switch you will only see what the wrapper process is doing and not any child process that is spawned from the wrapper process

-s <number> (print number of string value) If an error message is longer then the default value or the value of the -s switch the message will be trucated 

-e (expressins being called and printed to the screen) Using the write,open we are only concerned about those file operations when troubleshooting services or permission issues. 

2> (this allows for STDOUT to be written to a file) Anything printed to the screen through STDOUT will be written to the file through redirection. 

Example Scenarios:

How to check for permissions issues in strace log. 

Using the less command to view the log from the command above in /tmp/strace_output. 

Go to the bottom of the file and use PageUP key or arrow keys to move up the file. 

In this scenario you will see that the SymantecDLP services is unable to write to a file

The next step would be to check the permissions of the path above and all of its sub-directories, using the command "namei" from the path in the strace log

namei -l /var/log/Symantec/DataLossPrevention/EnforceServer/16.0.20000/tomcat

From this output you can see that /var/log/Symantec has incorrect permissions:

Next, you run the chmod command to fix the permissions

chmod 755 /var/log/Symantec

Finally, restart the DLP services. 

File Access tracing

To troubleshoot open and write tracing on a file using utilities like auditd and inotifywait is better tools. strace is for debugging processes. 

See: 414218