Troubleshooting Client Management

Collect logs

The information is saved as ZIP files that you can download with your browser.

To download logs:

From the Client ManagementOverview page, click Help .
From the Troubleshooting tab, select the solutions for which to gather troubleshooting packages and click Create Packages.
By default, all solutions are selected.
When the packages are ready, click Download Support Bundle.
ZIP files of all the selected packages download to the local download directory.
Some browsers might block multiple downloads by default. Make sure to configure your browser to permit multiple downloads from the Tanium Console.
Contact Tanium Support to determine the best option to send the ZIP files. For information, see Contact Tanium Support.

Tanium Client Management maintains logging information in the Client Management.log file in the \Program Files\Tanium\Tanium Module Server\services\Client Management directory.

Endpoint Configuration maintains logging information in the tanium-config.log file in the <Module Server>/services/endpoint-configuration-files directory.

Identify and resolve issues with endpoint tools or client extensions

You might become aware of issues with endpoint tools or client extensions through solution-specific errors or through Overview pages for modules or shared services that indicate endpoints that need attention.

Use the following steps to troubleshoot issues with endpoint tools or client extensions. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.

To actively review the health of endpoint tools and client extensions or to start an investigation into an existing error, ask a question using the Endpoint Configuration - Tools Status, Client Extensions - Status, or [Module] - Tools Version sensor.

The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Drill down as necessary to investigate results that indicate errors.

Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.
Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Troubleshooting Client Management.

When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.

Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:

Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Deploy from all machines with Endpoint Configuration - Tools Status:Tool Name contains Deploy

Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:

Error Condition	Possible Resolution
No error appears, but an available new version has not been installed	Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the manifest has not updated on the endpoint, usually for one of the following reasons: The manifest update is still pending. Either wait for the manifest to update and then review the results again, or follow the steps in Verify and manually update the Endpoint Configuration manifest. Action lock is enabled on the endpoint. Follow the steps in Verify and manually update the Endpoint Configuration manifest to identify endpoints with action lock turned on. The solution that installs the tool is no longer installed, or it is no longer targeting the endpoint. In some cases, a solution might stop targeting an endpoint because it no longer needs the endpoint for a particular workload. For example, if an endpoint is being used in a level 4 distributed scan in Discover, and peer endpoints appear with adjacent IP addresses, Discover no longer needs the original endpoint for the level 4 scan and no longer targets it. Consider whether the solution that installs the tool should still target the endpoint: If it is expected or intentional that the solution no longer targets the endpoint, you can optionally uninstall the tool: see Troubleshooting Client Management. If the solution should still target the endpoint, make sure that the action group for the solution that installs the tool includes the endpoint, and make sure the solution targets the endpoint in any expected configurations or profiles. Then, either wait for the manifest to update and then review the results again, or follow the steps in Verify and manually update the Endpoint Configuration manifest.
Installation Blocker: Unmet Dependencies: [Tool name]	If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column.
Failing Dependency: [Tool name]	Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name] Investigate further errors with the tool. If the dependency has not been installed on an endpoint, ask the question: Get Endpoint Configuration - Tools Retry Status from all machines with Computer Name equals Computer_Name to review the retry status for the tool installation. For more information, see Review tool installations that are scheduled for a retry.
Manually Blocked: blocked	The tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Troubleshooting Client Management.

Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.

For additional help, collect all logs for Tanium Client Management, and contact Tanium Support.

Verify and manually update the Endpoint Configuration manifest

Check the manifest version on endpoints

From the Endpoint Configuration menu, go to the Overview page, and note the Manifest Revision (version) in the Summary section..
Go to the Tanium Home page and ask the following question:

Get Endpoint Configuration - Manifest Metadata?maxAge=60 and Action Lock Status from all machines

The manifest changes whenever a configuration or tool change occurs. Therefore, use the maxage=60 option for the Manifest Metadata sensor to ensure that you retrieve the latest data from endpoints.

Sort the Question Results grid by Revision to list the versions in descending numerical order, which makes it easier to identify endpoints with an earlier manifest version.
If the Question Results indicate Action Lock Status is on for some endpoints that do not have the latest manifest:
1. Consult whoever turned on the action locks to verify that it is now safe to run actions on those endpoints.
2. Disable action locks on the endpoints that require an updated manifest. See Tanium Console User Guide: Turn off action locks. Perform one of the following tasks:
  - Disable action locks on the endpoints that require an updated manifest. See Tanium Console User Guide: Turn off action locks.
  - Configure Endpoint Configuration to ignore action locks for all endpoints. See .
Manually update the manifest on endpoints on any endpoints that require an updated version.

Manually update the manifest on endpoints

Windows and non-Windows endpoints require separate packages to update the manifest. Therefore, perform the following steps for each type of endpoint:

Go to the Tanium Home page and ask the following question:

Get Endpoint Configuration - Manifest Metadata?maxAge=60 from all machines
Select the endpoints that have an outdated manifest and click Deploy Action.
Select the Deployment Package that matches the target endpoints:
- Windows endpoints: Endpoint Configuration - Manifest [Windows] (v. <latest_manifest_version>)
- Non-windows endpoints: Endpoint Configuration - Manifest [Non-Windows] (v. <latest_manifest_version>)
Configure the remaining action settings and deploy the action. See Tanium Console User Guide: Deploying actions.

If the manifest update fails, investigate environmental factors, such as security exclusions, file locks, CPU usage, RAM usage, and disk failures. for additional help.

Review the Extensions log for an endpoint

Use Client Management to directly connect to an endpoint and view and download extension logs.

From the Main menu, go to Shared Services > Client Management.
From the Client Management menu, click Client Health.
In the Direct Connect search box, enter all or part of an IP address or a computer name.

Matching results are displayed after the search completes.
From the search results, click the computer name to connect to the endpoint.
Click the Logs tab, and select an extensions[#].log file.
(Optional) To download the log, click Download.

For additional help, collect all logs for Tanium Client Management, and contact Tanium Support.

Uninstall Client Management

Uninstalling Client Management disables functionality for all Tanium solutions. Contact Tanium support before you uninstall Client Management.

From the Main menu, click Administration > Configuration > Solutions.
In the Content section, select the Endpoint Configuration row.
Click Delete Selected . Click Uninstall to complete the process.

Contact Tanium Support

To contact Tanium Support for help, send an email to [email protected].