Troubleshooting

Review troubleshooting tasks for common issues.

Troubleshoot Connect by using log files and the solutions to common issues. If you cannot resolve the issues, collect support information.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

To download logs:

  1. From the Connect Overview page, click Help .
  2. From the Troubleshooting tab, select the solutions for which to gather troubleshooting packages and click Create Package.
  3. When the package is ready, click Download Package.
    A ZIP file of Connect information, and database information if selected, downloads to the local download directory.

    Some browsers might block multiple downloads by default. Make sure to configure your browser to permit multiple downloads from the Tanium Console.

  4. Contact Tanium Support to determine the best option to send the ZIP files. For information, see Contact Tanium Support.

Tanium Connect maintains logging information in the \Program Files\Tanium\Tanium Module Server\services\connect-files\logs directory.

For Windows servers, Tanium Connect also maintains logging information in the connect-service.log file in the \Program Files\Tanium\Tanium Module Server\services\connect-service directory.

Upgrading to Connect 5.12

In Connect 5.12, the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. Consequently, after upgrading to Connect 5.12, it might take time for the RBAC privileges and other updates to sync properly. This could lead to issues and error messages when first querying the Tanium Console. These issues should resolve on their own after a few minutes, but could take longer depending on system resources and the amount of data to migrate.

Upgrading to Connect 5.13

In Connect 5.13, connections created before Connect 5.13 display a Run as Persona value of Unknown for several minutes as the upgrade process completes connection migration. These issues should resolve on their own after a few minutes, but could take longer depending on system resources and the amount of data to migrate.

After upgrading to Connect 5.13, the Connect Write (All) role permission is removed from the predefined Connect Administrator and Connect Operator roles, and the Connect Owner permission is added to the predefined Connect Administrator and Connect Operator roles. The Connect Owner permission allows users to take ownership of connections owned by other users. Users that are members of the Connect Administrator and Connect Operator roles must have ownership of a connection before editing the connection.

If you created a connection before the upgrade to Connect 5.13 and you configured the connection to use a shared destination that you do not own, the connection runs as expected after the upgrade. However, you cannot make changes to the connection unless you create a new destination that you own, either by copying the shared destination or creating a new destination.

Permissions assigned to existing roles that you configured prior to the upgrade are not changed, even if you initially cloned a role from the Connect Administrator and Connect Operator roles.

Upgrading to Connect 5.14 or later

For on-premises environments, if you want to upgrade to Connect 5.14 or later, for the best results:

  1. Upgrade to Connect 5.13.391 if your environment is below that version.

  2. Verify that your environment properly updated. Log in to the Tanium Console as a Platform Administrator, then navigate to the Connect Overview page. A banner appears if any problems occurred during the upgrade to Connect 5.13.391. No banner appears if the upgrade completed without any problems.

    s

  3. Upgrade to the current Connect version.

Configure logs

Adjust log expiration

To adjust the number of days before log files are removed, click Settings on the Connect Overview page and navigate to the Configuration tab. Edit the number of days in the Connection Run Log Expiration field and click Save.

Adjust log level

To adjust the log level, choose a log level from the Connect Service Log Level menu and click Save.

View logs

Service logs

The Connect service records logs in the \Program Files\Tanium\Tanium Module Server\services\connect-files\logs\server.log file. This file is in JSON format by default, but you can use the Bunyan CLI tool to view the logs. From the \Program Files\Tanium\Tanium Module Server\services\connect-files\ directory, run the following command:

..\connect-service\node ..\connect-service\node_modules\bunyan\bin\bunyan logs\server.log

Search this log for the following message to tell when the Connect service starts:

Tanium Connect Starting

Connection run logs

Connections generate a log file for each run of the connection. The run logs are in the \Program Files\Tanium\Tanium Module Server\services\connect-files\logs\connections\ directory.

Connect configuration state

Connect stores information about connections and user settings in a database managed by the Tanium RDB Service.

Do not directly access this database unless advised by Tanium Support. If you want to view this information, download a support package that includes database information. For more information, see Collect logs.

Test connections

You might have trouble with running a connection for one of the following reasons:

  • the plugin schedule was disabled or deleted

  • the plugin schedule was transferred to another user, but is still associated with the prior user

  • the user that owns the connection no longer has access to the connection

  • the persona used to create a plugin schedule no longer has access to the plugin schedule

  • the persona used to create a plugin schedule is no longer associated with a user

You can log in as the user that owns the connection and view the Connect Overview page, then run the connection outside of the scheduled intervals.

  1. Log in as the user that owns the connection, then select Modules > Connect > Overview.

    Wait several minutes before moving on to the next step.

  2. Send a test connection.

    From the Connect Overview page, scroll to the Connections section. Select the checkbox next to the connection, click Run Now, and confirm to run the connection.
  3. Click the connection and open the Logs tab to view information about each run for that connection. Expand an individual row to view the log.

    If you need more log data, open the Details tab, update the Log Level value, and click Save. Run the connection again to view the log with the updated log level.

  4. If the IP address for a connection is on an internal network, only a Tanium administrator can run the connection by default.
    Click Settings on the Connect Overview page. On the Configuration tab, select Internal IPs to allow anyone to run connections to IPs on an internal network.




Troubleshoot issues

If a connection fails to send any data in a 60 minute period, Connect automatically terminates the connection.

Issue: Cannot connect to Connect service

  1. Verify that the Connect service is running on your Module Server.

    To view the running services, click Start > Run. Type services.msc and click OK. Verify that Connect is in the list and that the service is running.
  2. Check the service logs for any errors or messages about insufficient rights for the user. The Connect service records logs in the \Program Files\Tanium\Tanium Module Server\services\connect-files\logs\server.log file.

Issue: Failed connections to destinations

Before your connections can successfully send data to a destination, your Tanium Cloud instance, CMP network egress allow list, and network allow list must be configured. Note the following:

For more information, see Tanium Cloud Deployment Guide: Network egress. For assistance, contact Tanium Support.

Issue: <no value> in Tanium Data Service output

  1. Verify that the sensor for the saved question is registered. For more information, see Tanium Console User Guide: Display sensor collection registration details.
  2. If the sensor is not registered, register it for collection. For more information, see Tanium Console User Guide: Register or unregister sensors for collection.
  3. If you recently registered a sensor and want to see immediate results before the next scheduled collection, you can manually start the collection. For more information, see Tanium Console User Guide: Manually start collection.

Issue: Connection does not export all intended data

Connections use the owner's role permissions to access content. If the connection owner has insufficient permission for content that a connection requires, such as inability to view a computer group, the connection might not fully export the data that you intend to export.

Do one of the following:

Issue: Scheduled connection owned by a deleted user no longer runs

Scheduled connections require an existing Tanium user account owner to run scheduled instances. If the scheduled connection owner is deleted, future scheduled instances of that connection do not run.

Do one of the following:

Issue: Tanium Audit Source connection fails with MaxNumberOfAuditEntriesPerCacheExceeded error

Connections configured with the Tanium Audit Source connection source might fail if you configure Days of History Retrieved as 0 or a very large value, and a large period of time elapses between connection runs. Update the Days of History Retrieved value to a small integer, such as 1 or 2. For more information, see Reference: Tanium Audit Source data.

Issue: Emails using Microsoft 365 fail to send

Emails sent using the Email (O365) destination are subject to the following limitations:

  • The Email (O365) destination requires an email server profile. If you delete an email server profile configuration that is referenced by a scheduled connection, future scheduled instances of that connection fail. Recreate the email server profile configuration, then reference the new email server profile in the scheduled connection.

  • The Microsoft Graph API limits email requests to four concurrent requests. If you have multiple connections using the same email server profile configuration, emails over the four concurrent requests are queued for sending after prior requests resolve. Schedule connections using the same email server profile configuration to run at different times and minimize the number of requests sent simultaneously.

  • If you assign the Mail.Read permission to your Microsoft Azure application, you can send emails with attachments up to a total of 3 MB, or emails with a body up to 3 MB. If your connections send more data than that per run, do one of the following:

    • Schedule your connection to run more frequently, to try and reduce the size of each email.

    • Refine the connection source configuration to reduce the amount of data sent per connection run.

    • Assign the Mail.ReadWrite permission to the Microsoft Azure application. This enables sending emails with attachments up to a total of 150 MB, subject to any other limits that you configure in your Azure environment.

Issue: Imported connections using Email (O365) destinations do not run

Exporting a connection using an Email (O365) destination from one environment and importing it in another does not also import the required email server profile configuration. To export a connection using an Email (O365) destination:

  1. Export the connection from the originating environment, then import the connection in the target environment. For more information, see Export connections and Import connections.

  2. Create the email server profile in the target environment. For more information, see Configure email server profile settings for Microsoft 365.

  3. Edit the connection and select the Email Server Profile from the drop-down list. For more information, see Configure the email results destination.

Issue: Created connection does not allowing editing of source or destination type

After you create a connection, you cannot update the connection source type or destination type, only the source configuration or destination configuration. If you want to change the source type or destination type, create a new connection.

Uninstall Connect

The basic Connect module uninstallation is designed so that the data you have collected is restored if you later decide to reinstall Connect. In some cases, you might want to start "clean" and not restore the data. To do this, you must manually remove some files.

Consult with Tanium Support before you uninstall or reinstall Connect.

Uninstall Connect so data is restored on reinstall

  1. Sign in to the Tanium Console as a user with the Administrator role.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Under Connect, click Uninstall.
  4. Review the summary and click Uninstall.
  5. When prompted to confirm, enter your password.

If you later import the Connect solution, the previous data is restored.

Uninstall Connect so you start fresh when you reinstall

  1. Uninstall Connect so data is restored on reinstall.
  2. Manually delete the \Program Files\Tanium\Tanium Module Server\services\connect-files\ directory.

Deleting the connect-files directory removes all existing Connect data. All logs, output, the Connect database, and any other Connect data is deleted. If you later import the Connect solution, the previous data is not restored.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.