Troubleshooting

Review troubleshooting tasks for common issues.

Troubleshoot Connect by using log files and the solutions to common issues. If you cannot resolve the issues, collect support information.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

To download logs:

  1. From the Connect Overview page, click Help .
  2. From the Troubleshooting tab, select the solutions for which to gather troubleshooting packages and click Create Package.
  3. When the package is ready, click Download Package.
    A ZIP file of Connect information, and database information if selected, downloads to the local download directory.

    Some browsers might block multiple downloads by default. Make sure to configure your browser to permit multiple downloads from the Tanium Console.

  4. Contact Tanium Support to determine the best option to send the ZIP files. For information, see Contact Tanium Support.

Tanium Connect maintains logging information in the Connect.log file in the \Program Files\Tanium\Tanium Module Server\services\Connect directory.

Upgrading to Connect 5.12

In Connect 5.12, the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. Consequently, after upgrading to Connect 5.12, it might take time for the RBAC privileges and other updates to sync properly. This could lead to issues and error messages when first querying the Tanium Console. These issues should resolve on their own after a few minutes, but could take longer depending on system resources and the amount of data to migrate.

Configure logs

Adjust log expiration

To adjust the number of days before log files are removed, click Settings on the Connect Overview page and navigate to the Configuration tab. Edit the number of days in the Connection Run Log Expiration field and click Save.

Adjust log level

To adjust the log level, choose a log level from the Connect Service Log Level menu and click Save.

View logs

Service logs

The Connect service records logs in the \Program Files\Tanium\Tanium Module Server\services\connect-files\logs\server.log file. This file is in JSON format by default, but you can use the Bunyan CLI tool to view the logs. From the \Program Files\Tanium\Tanium Module Server\services\connect-files\ directory, run the following command:

..\connect-service\node ..\connect-service\node_modules\bunyan\bin\bunyan logs\server.log

Search this log for the following message to tell when the Connect service starts:

Tanium Connect Starting

Connection run logs

Connections generate a log file for each run of the connection. The run logs are in the \Program Files\Tanium\Tanium Module Server\services\connect-files\logs\connections\ directory.

Connect configuration state

Connect stores information about connections and user settings in the \Program Files\Tanium\Tanium Module Server\services\connect-files\config\connect.db file.

Do not edit the connect.db file unless advised by Tanium Support.

Test connections

If you have trouble with a connection, you can run the connection outside of the scheduled intervals.

You might have trouble with running a connection for one of the following reasons:

  • the plugin schedule was disabled or deleted

  • the plugin schedule was transferred to another user, but is still associated with the prior user

  • the user that owns the connection no longer has access to the connection

  • the persona used to create a plugin schedule no longer has access to the plugin schedule

  • the persona used to create a plugin schedule is no longer associated with a user

You can log in as the user that owns the connection and view the Connect Overview page, then run the connection outside of the scheduled intervals.

  1. Log in as the user that owns the connection, then select Modules > Connect > Overview.

    Wait several minutes before moving on to the next step.

  2. Send a test connection.

    From the Connect Overview page, scroll to the Connections section. Select the checkbox next to the connection, click Run Now, and confirm to run the connection.
  3. Click the connection and open the Logs tab to view information about each run for that connection. Expand an individual row to view the log.

    If you need more log data, open the Details tab, update the Log Level value, and click Save. Run the connection again to view the log with the updated log level.

  4. If the IP address for a connection is on an internal network, only a Tanium administrator can run the connection by default.
    Click Settings on the Connect Overview page. On the Configuration tab, select Internal IPs to allow anyone to run connections to IPs on an internal network.




Troubleshoot issues

If a connection fails to send any data in a 60 minute period, Connect automatically terminates the connection.

Issue: Cannot connect to Connect service

  1. Verify that the Connect service is running on your Module Server.

    To view the running services, click Start > Run. Type services.msc and click OK. Verify that Connect is in the list and that the service is running.
  2. Check the service logs for any errors or messages about insufficient rights for the user. The Connect service records logs in the \Program Files\Tanium\Tanium Module Server\services\connect-files\logs\server.log file.

Issue: Failed connections to destinations

Before your connections can successfully send data to a destination, your Tanium Cloud instance, CMP network egress allow list, and network allow list must be configured. Note the following:

  • Sign in to the CMP and configure a network egress allow list rule for each destination fully qualified domain name (FQDN) and associated port. For more information on configuring the network egress allow list, see Tanium Cloud Deployment Guide: Configuring network egress allow list rules in the CMP.
  • Tanium Cloud does not support non-TLS plaintext HTTP URLs.
  • Tanium does not support sending data over TCP port 25 outbound. If you create a rule with external access for an SMTP email server destination (default TCP port 465 or TCP port 587), you can only associate the port with 1 FQDN.

  • For other destinations, you can reuse a port for multiple destination FQDNs.

  • Your Tanium Cloud instance has a proxy cluster with 2 public IP addresses. If a destination is in your network, add inbound traffic from these IP addresses to your network allow list.

For more information, see Tanium Cloud Deployment Guide: Network egress. For assistance, contact Tanium Support.

Issue: <no value> in Tanium Data Service output

  1. Verify that the sensor for the saved question is registered. For more information, see Tanium Console User Guide: Display sensor collection registration details.
  2. If the sensor is not registered, register it for collection. For more information, see Tanium Console User Guide: Register or unregister sensors for collection.
  3. If you recently registered a sensor and want to see immediate results before the next scheduled collection, you can manually start the collection. For more information, see Tanium Console User Guide: Manually start collection.

Issue: Connection does not export all intended data

Connections use the owner's role permissions to access content. If the connection owner has insufficient permission for content that a connection requires, such as inability to view a computer group, the connection might not fully export the data that you intend to export.

Do one of the following:

Problem: Scheduled connection owned by a deleted user no longer runs

Scheduled connections require an existing Tanium user account owner to run scheduled instances. If the scheduled connection owner is deleted, future scheduled instances of that connection do not run.

Do one of the following:

Issue: Tanium Audit Source connection fails with MaxNumberOfAuditEntriesPerCacheExceeded error

Connections configured with the Tanium Audit Source connection source might fail if you configure Days of History Retrieved as 0 or a very large value, and a large period of time elapses between connection runs. Update the Days of History Retrieved value to a small integer, such as 1 or 2. For more information, see Reference: Tanium Audit Source data.

Uninstall Connect

The basic Connect module uninstallation is designed so that the data you have collected is restored if you later decide to reinstall Connect. In some cases, you might want to start "clean" and not restore the data. To do this, you must manually remove some files.

Consult with Tanium Support before you uninstall or reinstall Connect.

Uninstall Connect so data is restored on reinstall

  1. Sign in to the Tanium Console as a user with the Administrator role.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Under Connect, click Uninstall.
  4. Review the summary and click Uninstall.
  5. When prompted to confirm, enter your password.

If you later import the Connect solution, the previous data is restored.

Uninstall Connect so you start fresh when you reinstall

  1. Uninstall Connect so data is restored on reinstall.
  2. Manually delete the \Program Files\Tanium\Tanium Module Server\services\connect-files\ directory.

Deleting the connect-files directory removes all existing Connect data. All logs, output, the Connect database, and any other Connect data is deleted. If you later import the Connect solution, the previous data is not restored.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.