Troubleshooting Deploy

Review troubleshooting tasks for common problems.

If Deploy is not performing as expected, you might need to do some troubleshooting or change settings.

For more comprehensive troubleshooting information, registered Tanium customers can sign in to view the Tanium Community: Deploy Troubleshooting Guide.

Collect a troubleshooting package

For your own review or to assist support, you can compile Deploy logs and files that are relevant for troubleshooting.

  1. Get the Deploy log.
    1. From the Deploy Overview page, click Help .
    2. Click the Support tab and click Collect.
    3. When the Status: is updated, click Download.

    The log zip file might take a few moments to download. The files have a timestamp with a deploy-support-YYYY-MM-DDTHH-MM-SS.mmmZ  format.

  2. (Optional) On the endpoint, copy the Tanium\Tanium Client\Tools\SoftwareManagement folder.

Upgrading to Deploy 2.19

In Deploy 2.19, the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. After upgrading to Deploy 2.19, it might take time for the RBAC privileges and other updates to sync properly. This could lead to issues and error messages when you first query the Tanium Console. These issues usually resolve on their own after a few minutes, but could take up to an hour or longer depending on system resources and the amount of data to migrate.

View job logs to troubleshoot job failed errors

You can download job logs to troubleshoot "job failed" errors.

  1. From the Deploy Overview page, click Help .

  2. Click the Support tab and click View Job Status.
  3. In the Job Detail window, click Download Logs to download a job-logs.txt file with more details about recent jobs.

Collect Deploy troubleshooting information from endpoints

You can collect and review endpoint artifacts to troubleshoot Deploy issues on endpoints. To collect artifacts from an endpoint, use Client Management to generate an Endpoint Must Gather for select files in the Software Manager and Core domains. For instructions on generating an Endpoint Must Gather, see Tanium Client Management User Guide: Collect troubleshooting information from endpoints.

The following table describes the files to select in the Software Manager and Core domains.

Gather domain Gather name File and description
Software Manager Deploy Logs

  • Tanium Client\Tools\SoftwareManagement\logs\software-management[0-10].log
    Primary endpoint logs for Deploy that contain information needed to troubleshoot most issues. The files contain all logging output of the long-running Deploy process.

  • Tanium Client\Tools\SoftwareManagement\logs\subprocess.log
    Standard output and record of each subprocess that Deploy launched. Subprocesses are launched for each command step in a software package and end-user notification.

  • Tanium Client\Tools\SoftwareManagement\logs\Install-ClickToRunOffice.log
    Detailed logging information from the Microsoft Office Click-to-Run packages in the Predefined Package Gallery.
Deploy Database

  • Tanium Client\Tools\SoftwareManagement\data\software-management.db

  • Tanium Client\Tools\SoftwareManagement\data\software-management.shm

  • Tanium Client\Tools\SoftwareManagement\data\software-management.db-shm

Detailed information about the state of deployments, software packages, maintenance windows, self service profiles, and software bundles. The files are needed when troubleshooting endpoint issues.

Deploy Windows Upgrade - PreCache.txt

%temp%\Win10IPU_PreCache.txt

Log for Windows in-place upgrade Phase 1 Pre-Cache script. This file is used for troubleshooting Phase 1 Pre-Cache of the Windows upgrade process.
Deploy Windows Upgrade - CompatScan.txt

%temp%\Win10IPU_CompatScan.txt

Log for Windows in-place upgrade Phases 1 and 2 compatibility scans script. This file is used for troubleshooting Phases 1 and 2 of the Windows upgrade process.
Deploy Windows Upgrade - Upgrade.txt

%temp%\Win10IPU_Upgrade.txt

Log for Windows in-place upgrade Phase 3 Windows Upgrade script. This file is used for troubleshooting Phase 3 Windows Upgrade of the Windows upgrade process.
Deploy PreProcessed

Tanium Client\Tools\SoftwareManagement\data\preprocessed

Results for Deploy sensors, for example, deploy-deployments.txt for the Deploy - Deployments sensor. The Deploy process writes the files to enable fast retrieval by Deploy sensors. The files are generally only useful for troubleshooting unusual answers to one or more Deploy sensors.
Deploy Endpoint Notification Tools

%localappdata%\tanium-end-user-self-service\euss.log

Log for the Self-Service Client that is specific to the user logged into an endpoint, for example, C:\Users\Administrator\AppData\Local\tanium-end-user-self-service\euss.log. The file might be useful for troubleshooting End-User Self Service.
Core Tanium Client Logs

Tanium Client\Logs\clientextensions[0-9].txt

Log for most Tanium Client extensions, including the Software Manager extension (swmgr-cx) that starts the long-running Deploy process. The file is generally needed when troubleshooting installation of tools or the starting of the Deploy process.

Troubleshoot Job failed: Sync Software Package Files error

The Job failed: Sync Software Package Files appears in the Deploy workbench if a software package did not synchronize properly. The most common reason for the error is that Deploy cannot cache remote files associated with a package. However, the error can appear for a variety of reasons.

  1. Review the information available for the error in the Deploy workbench. If the Job failed: Sync Software Package Files error banner includes More Information, click the link and review the information.

    You can also retry the synchronization or export, copy, or download the information on this page.

  2. Review the logs to identify the issue for the error. See View job logs to troubleshoot job failed errors.
  3. Review Common package synchronization failure issues and resolutions for corrective actions.

Common package synchronization failure issues and resolutions

The following table explains different issues that can prevent a software package from syncing properly.

Issue Explanation and corrective action
Deploy cannot download a remote file at all
The file hash does not match what is defined in the package definition

This issue is usually caused by a recent release of a new version of the software. Compare the software package version to the latest version published by the vendor, and then try one of the following solutions:

  • If the version is the same, manually add affected files to the software package.
  • If the vendor has published a new version, edit the package and update the new version information before manually adding affected files to the software package. Alternatively, wait for a new software package to be published to the Predefined Package Gallery.
  • For information about manually adding files to a software package, see Deploy cannot access the origin of a software package file.
A different problem is preventing Deploy from synchronizing the software package

This issue can sometimes be caused by an error with the Tanium Server or with the Endpoint Configuration Service. Review the job logs for basic diagnostic information. Collect a support bundle and review the Deploy service log and Module Server or Tanium Server TDL logs for additional diagnostic information. For more information, see Collect a troubleshooting package and Tanium Appliance Deployment Guide: Review Tanium Core Platform logs. If you continue to experience this problem, Contact Tanium Support for assistance.

Deploy cannot access the origin of a software package file

If Deploy cannot access the origin of a software package file, you can follow these basic steps to edit the package and manually add any inaccessible files:

  1. Download the inaccessible remote file to your computer.

  2. Edit the software package.

  3. If necessary, expand the Package Files section, then click Add Package Files > Local File to upload the file from Step 1 to the software package.

  4. Ensure that the new package file uses the same value for the File Display Name field as the original package file.

  5. Delete the original package file and save the package.

    6. For more information about configuring software packages, see Create a software package.

End user notifications are not displayed or endpoints have other issues

End user notifications are supported for Windows and macOS endpoints only. If end user notifications are not being displayed on the endpoints or the endpoints have other issues (for example, their statuses are Needs Attention):

  1. Verify that the Tanium End-User Notifications solution is installed. For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.
  2. Ask the question: Get End-User Notifications - Has Tools from all machines to check if your endpoints have the end user notification tools.
  3. Verify Contact Tanium Support to verify that any security software exclusions include the \Tanium\Tanium End User Notification Tools directory. For more information, see Security exclusions.

  4. Uninstall the End-User Notifications tools on the endpoints. For more information, see Tanium End-User Notifications User Guide: Remove End-User Notifications tools from endpoints. Then wait up to 10 minutes for the tools to automatically reinstall.

    You can also reinstall the End-User Notifications tools with the Endpoint Configuration - Reinstall Tool package.

Deployment fails with EUN error on endpoint

If your deployment is configured for a pre-notification, but the endpoint does not have the End-User Notifications tools installed, the deployment fails and triggers the following error: EunIncompatible: EUN is not installed or the version installed is too old. If you receive this error, ensure that the endpoint has a supported configuration and has the End-User Notifications tools installed. For more information, see Tanium End-User Notifications User Guide: Configuring End-User Notifications.

Deploy workbench slowly loads pages

If the Deploy workbench slowly loads pages, confirm that you have enabled the Inactive Deployments Removal option to remove old inactive deployments. The deployment cleanup helps improve the performance of the Deploy workbench. For instructions, see Configure module settings.

Troubleshoot Deploy process not running

The Running Deploy chart on the Overview page or the Deploy - Is Process Running sensor report endpoints on which the Deploy process is not running.

The following table explains different issues that can prevent the Deploy process from running.

Issue Explanation and corrective action
The endpoint does not support Deploy.
  1. Ask the question Get Deploy - Coverage Status from all machines to identify the endpoints on which Deploy is not supported.
  2. Review the Deploy requirements and make necessary changes.
Deploy tools are not installed on the endpoint.

See Troubleshoot issues with Deploy tools on endpoints.
The endpoint is not in the Deploy action group.

The endpoint must be in a computer group in the Deploy action group to have Endpoint Configuration install Deploy tools and swmgr-cx start the Deploy process.

Review the computer groups in the Deploy action group. For more information, see (Optional) Configure the Deploy action group.
The Deploy process is not running for another reason.

Review software-management0.log and extensions0.txt log files. For information on how to collect the logs, see Collect Deploy troubleshooting information from endpoints.

  • If software-management log files do not exist or do not have any recent activity, Troubleshoot issues with Deploy tools on endpoints. If all tools are installed, search extensions0.txt for swmgr to identify problems with Software Management

    .

  • The logs might indicate the Deploy process starts and then quickly exits. Search the logs for starting up to determine if the process is consistently starting up one to two times per minute. If so, the log lines immediately before the starting up line might indicate why the process is terminating.

  • If the Deploy process is crashing or terminating itself, the problem might be caused by an issue with the Deploy tools or database. As a potential corrective action, perform a hard uninstallation of the affected tool and its unreferenced dependencies. For instructions, see Remove Deploy tools from endpoints.

For issues that persist after uninstalling and reinstalling affected tools, investigate possible interference from security software. Ensure you have configured endpoint security exclusions. On an affected Windows endpoint to which you have console access, collect an unfiltered Microsoft Process Monitor capture of at least 30 seconds of activity to provide to Tanium Support. See Microsoft documentation: Process Monitor.

If you are unable to resolve the issues, Contact Tanium Support and include all collected artifacts.

Troubleshoot issues with Deploy tools on endpoints

Endpoint Configuration installs the following Deploy tools on endpoints: Deploy, Software Management, python38, and swmgr-cx. Additionally, Deploy - Euss Tool Wrapper installs Tanium EUSS. For more information about Deploy tools, see Reference: Deploy endpoint tools.

For information about Endpoint Configuration tools, see Tanium Endpoint Configuration User Guide: Managing endpoint tools and Tanium Endpoint Configuration User Guide: Identify and resolve issues with endpoint tools or client extensions.

To troubleshoot issues with Deploy tools, review sensor results.

  1. Ask the question Get Endpoint Configuration - Tools Status Details matches "(swmgr-cx|Software Management|Deploy|python38|Tanium EUSS).*" from all machines with Deploy - Is Process Running equals False .
  2. Review the results for the Deploy tools and complete the corrective action.
    StatusExplanation and corrective action
    Not InstalledSee The endpoint is not in the Deploy action group.
    Blocked See Tanium Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint.
    Error - awaiting automatic retry

No applicability information for software packages

Software package applicability is calculated on the endpoints by using the applicability rules in the package definition, which is stored in the software package catalog and distributed to the endpoints.

If the applicability information for software packages is not available:

  1. Verify that the Deploy process is running on the target endpoint.
    1. Ask the question: Get Deploy - Is Process Running from all machines
    2. Check locally for the \Tanium\Tanium Client\python38\TPython.exe file on the endpoint.
  2. Compare the current and cached results of the Deploy - Software Packages Applicability sensor
    1. In Interact, ask the question: Get Deploy - Software Packages Applicability[1,100000] from all machines
    2. Toggle between Current and Cached to ensure that the results match.

      If you do not see Current and Cached, ensure that the Deploy - Software Packages Applicability sensor is registered for collection in the Registration & Collection tab of the Interact Settings for the specific parameter values. For more information, see Tanium Interact User Guide: View sensor registration details.

    3. If you see any discrepancies, go to the Interact Settings and click Collect Now.

    For information on troubleshooting unexpected availability, see View software package applicability.

No software in the Predefined Package Gallery

After you import Deploy 1.1 or later, you must initialize the endpoints again. After the endpoints are initialized, it might take up to one hour to see the software in the Predefined Package Gallery page. You can also restart the Tanium Deploy service to reduce this time constraint.

If you still do not see any software in the Predefined Package Gallery page:

  1. From the Main menu, go to Administration > Content > Packages.
  2. Search for the Deploy - Software Package Gallery package.
  3. Verify that this package is cached.
    1. Verify that the Size column does not list Pending.
    2. If the size stays at Pending for more than one hour, Contact Tanium Support for assistance.
  4. Check to see if the Tanium Deploy service is attempting to gather the Deploy Predefined Package Gallery file.
    1. Collect a troubleshooting package.
    2. Open the downloaded support bundle and open the deploy-files\logs\Deploy.log file.
    3. Search for Ensuring software package gallery zip package.
    4. If the Deploy.log file does not have that text, Configuring Deploy again, wait 10-15 minutes, and then repeat the previous steps to recheck the log file.
  5. If you still do not see any software in the Predefined Package Gallery page after completing the previous steps, Contact Tanium Support for assistance.

Uninstall Deploy

Use only this procedure to uninstall Deploy.

If you need to uninstall Deploy, first clean up the Deploy artifacts on the endpoint, then uninstall Deploy from the server, and then remove Deploy data directories and files from the server.

Remove Deploy artifacts from endpoints

To remove Deploy from endpoints, use the following options in the Endpoint Configuration - Uninstall package for Deploy to block reinstallation, perform a hard uninstall, and then remove unreferenced dependencies. For more information, see Remove Deploy tools from endpoints.

Remove Deploy from the Tanium Module Server

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Select the check box in the Deploy section, then click Uninstall and follow the process.
  3. Return to the Solutions page and verify that the Import button is available for Deploy.

If the Deploy module has not updated in the console, refresh your browser.

Remove packages

  1. From the Main menu, go to Administration > Content > Packages.
  2. In the Content Set column, filter on values that contain Deploy.

(Optional) Remove data directories and files

To permanently remove all Deploy data from the Tanium Module Server, manually delete the following directories and files. If you later import the Deploy solution, the previous data is not restored.

Windows:

  • \Program Files\Tanium\Tanium Module Server\services\deploy-files\
  • \Program Files\Tanium\Tanium Module Server\services\deploy-service\
  • \Program Files\Tanium\Tanium Module Server\temp\deploy-service\
  • \Program Files\Tanium\Tanium Module Server\temp\deploy-service-invoker\
  • \Program Files\Tanium\Tanium Module Server\temp\deploy-service-proxy\
  • \Program Files\Tanium\Tanium Module Server\temp\deploy-*.bak

TanOS:

This action requires access to the unrestricted shell. For more information, including how to request a shell key, see Tanium Appliance Deployment Guide: Examine OS processes and files.

  • /opt/Tanium/TaniumModuleServer/deploy-files
  • /opt/Tanium/TaniumModuleServer/deploy-service
  • /opt/Tanium/TaniumModuleServer/temp/deploy-*.bak

Remove Deploy tools from endpoints

You can deploy an action to remove Deploy tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
  2. In the results, select the row for Deploy, drill down as necessary, and select the targets from which you want to remove Deploy tools. For more information, see Tanium Interact User Guide: Drill Down.
  3. Click Deploy Action.
  4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.

  5. For Tool Name, select Deploy.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Deploy to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  7. (Optional) To remove all Deploy databases and logs from the endpoints, clear the selection for Soft uninstall.

    When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

  8. To also remove any tools that were dependencies of the Deploy tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

  9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

    If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

  10. Click Show preview to continue.

  11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.