Troubleshooting

Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.

Use the following procedures, settings, and logs to troubleshoot issues relating to the Tanium Console and Tanium Interact. For additional troubleshooting information, see the Tanium Support KB: Tanium Console.

Basic troubleshooting tips

  • Contact Tanium Support to verify that the Taniumâ„¢ software version is a recommended version.
  • Ensure all Tanium Core Platform components are the same version. For example, make sure all have build number 7.4.4.1226. The Build number appears at the top right of the Tanium Console, below your user name.
  • Review any error messages reported to the Tanium Console: see View and copy the Tanium Console error log.
  • If Tanium Clients do not answer questions, check the status of client connections: see Monitor Tanium Client registration and communication.
  • If Tanium Clients to not run actions, check the actions history and action logs: see Investigate action-related issues.
  • If the Tanium Console is unavailable, check the status of the Tanium databases on the database server. Also check the status of the Tanium Server service and, if necessary, restart it: see Manage the Tanium Server service.
  • If authentication errors prevent access to the Tanium Console, check the authentication logs (auth<#>.txt) in the <Tanium_Server>/Logs directory.
  • If you see permission errors when trying to access certain Tanium Console pages or features, verify that your user persona has the necessary permissions: see User role requirements.

Manage the Tanium Server service

The steps to check the status of, and restart, the Tanium Server service vary by platform:

View and copy the Tanium Console error log

The Tanium Console maintains an error log on the local host computer for your web browser. It includes details on the last 100 errors that were returned to the console in response to actions that you performed through the browser. For example, the log records errors that are associated with attempting to save a configuration or import a content file. The console maintains a separate log for each browser that you use.

To view the log, click the selector next to the signed on username and select Local Error Log.

Expand a log entry and click Copy to copy the log details to the clipboard.


Collect Interact logs

To send information to Tanium Support for troubleshooting Tanium Interact, collect logs and other relevant information as follows. The information is saved as a ZIP file that you can download through your browser.

  1. From the Interact Overview page, click Help .
  2. In the Troubleshooting section, click Download Support Package.
    A tanium-interact-support-<date-time>.zip file downloads to the local download directory.
  3. Attach the ZIP file to your Tanium Support case form or send to Tanium Support.

Monitor Tanium Client registration and communication

To see the Client Status page and filter its grid, you require a role with the Read Client Status (micro admin) permission. Users with the Admin Administrator reserved role have this permission.

View the status of Tanium Client registration and communication

  1. From the Main menu, go to Administration > Management > Client Status.
  2. (Optional) To display status details only for specific Tanium Clients, edit the default filter settings, such as the registration intervals and connection status.


The following table lists the information that the Client Status page displays for each Tanium Client:

Table 1:   Client Status columns
Column Description
Host Name Endpoint host name.
Network Location (from client) Client IP address returned from a sensor on the client.
Network Location (from server) Client IP address recorded on the Tanium Server or Zone Server during the last registration.
Direction A circle represents the client and arrows represent its connections. For a list of possible connection states, see Table 2.
Valid Key No indicates an issue with the public key that the Tanium Client uses to secure communication with other Tanium Core Platform components. To resolve the issue, reinstall the Tanium Client (see Tanium Client Management User Guide) or redeploy the key (see Download infrastructure configuration files (keys)).
Send State
  • Normal: The client is sending data to its backward and forward peers.
  • None: The client is not sending data to its forward or backward peers.
  • Forward Only: The client is sending data to its forward peer but not to its backward peer.
  • Backward Only: The client is sending data to its backward peer but not to its forward peer.
Receive State
  • Normal: The client is receiving data from its backward and forward peers.
  • None: The client is not receiving data from its forward or backward peers.
  • Next Only: The client is receiving data from its forward peer but not from its backward peer.
  • Previous Only: The client is receiving data from its backward peer but not from its forward peer.
Status
  • Normal: The client is communicating normally.
  • Slow Link: The client has connections with abnormally slow throughput.
  • Leader: The client is communicating with the Tanium Server or Zone Server because it is a backward leader, a forward leader, a neighborhood leader, or a client with no peer connections (such as a client in an isolated subnet).
  • Blocked: The client is not communicating reliably.
Last Registration Date and time when the Tanium Client last registered with the Tanium Server or Zone Server.
Protocol Version Tanium protocol version. This column is hidden by default.
Version Tanium Client version.

The Direction column displays icons to depict Tanium Client connection states. The icons use the following conventions:

  • An up arrow indicates a connection with the Tanium Server or Zone Server.
  • Side arrows pointing away from the client indicate outbound connections to peers.
  • Side arrows pointing at the client indicate inbound connections from peers.
  • Side arrows on the right side of clients indicate the state of connections to forward peers.
  • Side arrows on the left side of clients indicate the state of connections to backward peers.
  • Side arrows with dashed lines indicate slow connections.

You can use the Direction column to understand the reasons that the client is a leader and to identify connection issues. The following table lists the possible connection states:

Table 2:   Tanium Client peer connection states
Attribute Value Description
Leader Backward

Backward leader

The client is a backward leader that terminates one end of a linear chain. It typically has the lowest IP address in its linear chain.
Forward

Forwared leader

The client is a forward leader that terminates one end of a linear chain. It typically has the highest IP address in its linear chain.
Neighborhood

Leader

The client is designated as a neighborhood leader because its linear chain has reached the maximum number of clients.
Isolated

No peering

The client is an isolated leader that connects only to the Tanium Server or Zone Server, and has no connections to other clients. The client might be isolated because its IP address falls within the range of an isolated subnet or because it has no peers in its local subnet with which to connect.
Neighbor No side arrows

No peering

This is the same as an isolated leader.
Single side arrow

inbound only or outbound only

The client has a neighborhood list of peers but has not established a peer connection. This state generally results from a misconfiguration, such as when a host-based firewall on the endpoint does not allow inbound connections to the client.
Double side arrows

inbound and outbound connections

The client has a neighborhood list of peers and has connected with peers in the indicated direction.
Client state Normal

inbound and outbound connections

The client is communicating normally.
Blocked

blocked

The client is not communicating reliably. This might result from a network issue or host resource issue, such as an antivirus program that slows the client.

Export Tanium Client status details

Export information in the Client Status page as a CSV file or, if you have the Administrator reserved role, as a JSON file.

  1. From the Main menu, go to Administration > Management > Client Status.
  2. Select rows in the grid to export information for specific Tanium Clients. If you want to export information for all clients, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name, which is in the format: export-client_status-<date>T<time>.csv<format>.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: information for All clients in the grid or only for the Selected clients.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Copy Tanium Client status details

Copy information from the Client Status page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Management > Client Status.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Configure server logging levels

Tanium Support might instruct you to change the log verbosity levels for the Tanium Server and Tanium Module Server when troubleshooting issues.

You require the Administrator reserved role to see and use the Configuration > Common > Log Level page.

  1. From the Main menu, go to Administration > Configuration > Common and click Log Level.
  2. Set the logging levels and click Save.

    The following decimal values are best practices for specific use cases.

    • 0: Logging disabled.
    • 1: Normal log level.
    • 41: Best practice value during troubleshooting.
    • 91 or higher: Most detailed log level. Enable for short periods of time only.

View plugins and plugin schedules

A plugin is an extension to a Tanium Core Platform component or solution module. A scheduled plugin is a process that is set to run at a specified interval. Plugin operations are usually transparent to users. However, Tanium Support might instruct you to review plugin details when troubleshooting unexpected behavior.

Only users assigned the Administrator reserved role can access the Configuration pages for viewing plugin information.

To see details about installed plugins, from the Main menu go to Administration > Configuration > Common and click Plugins.

To see details about scheduled plugins, from the Main menu go to Administration > Configuration > Common and click Plugin Schedules.

To review the history of plugin executions, see the module-history<#>.txt logs in the <Module_Server>/Logs folder on the Tanium Module Server.

View usage for the package file repository

By default, the Tanium Server stores the package files that it downloads to Tanium Clients in the <Tanium Server>\Downloads folder. Tanium Support might instruct you to monitor usage for this repository when troubleshooting download issues.

Only users assigned the Administrator reserved role can see and use the Administration > Configuration > Tanium Server > Package File Repository page.

From the Main menu, go to Administration > Configuration > Tanium Server > Package File Repository and review the information.

Monitor resource usage for sensor results collection

The Tanium Data Service collects and stores the results of all sensors that are registered for collection so that users can see those results for offline endpoints when issuing questions. Sensor collection consumes resources such as network bandwidth, processing on endpoints, and disk space on the Tanium Server. Resource consumption increases with the cardinality of sensors. For example, the IP Address sensor produces a unique result string for each queried endpoint, whereas the Operating System (OS) sensor produces the same string for all endpoints that have the same OS. In this case, the high cardinality IP Address sensor requires more bandwidth, CPU usage, and storage. Interact provides charts that enable you to visualize resource usage metrics related to results collection.

For more details and procedures related to sensor results collection, see Manage sensor results collection.

  1. Go to the Interact Home page and click Info Information.
  2. Review the following charts:
    • Data Service Status: This chart displays metrics related to sensor collection processes. By default, the Tanium Data Service runs the Data Collection process every hour to collect results for registered sensors and runs the Garbage Collection process every 15 minutes to remove expired result strings. The chart uses the following icons. Hover over an icon to display details about a specific process instance.
      • Success: process that completed successfully
      • Refresh: process that is currently running
      • Error: process with errors
      • Future: pending process
    • Data Service Sensor Metrics: Use these charts to determine whether specific sensors are generating result strings that consume too much storage.
    • Data Service Database Metrics: These charts are not relevant to user operations.

If you determine that sensor collection consumes too many resources, consider the following solutions:

View the info page

Tanium Support might instruct you to review settings or counters displayed on the info page.

  1. Open a browser and go to https://<FQDN>/info.
  2. When prompted, specify credentials for a user assigned the Administrator reserved role.



Contact Tanium Support

Tanium Support is your first contact for assistance with preparing for and performing an installation or upgrade, as well as verifying and troubleshooting the initial deployment. If you require further assistance from Tanium Support, please be sure to include version information for Tanium Core Platform components and specific details on dependencies, such as the host system hardware and OS details and database server version. You can also send Tanium Support a collection of logs and other information as a ZIP file: see Collect Interact logs. Sign into https://support.tanium.com and submit a new ticket or send Tanium Support an email at [email protected].