Troubleshooting

If Detect is not performing as expected, you might need to do some troubleshooting or change settings. For assistance, you can also contact your TAM.

Collect logs

You can compile Detect logs and files that are relevant for troubleshooting.

  1. From the Detect home page, click Information .
  2. Click Prepare Archive to generate an archive of information you can use to troubleshoot issues.
  3. Click Download Archive.

The archive contains the Detect database, logs, YARA cache, and other relevant files. You can create an updated ZIP file every 90 seconds. The ZIP file name has the format: detect-files-yyyymmddThhmmssZ.zip.

Change logging level

If you need greater verbosity in the logs, you can change the log level.

  1. From the Detect home page, click Settings .
  2. On the Service tab, adjust the level as needed.
    You can change the logging level of the server to TRACE, DEBUG, INFO, WARN, or ERROR. The default is DEBUG.

    Use TRACE only for troubleshooting over short periods of time.

  3. Click Update Settings.

Change logging level for a single group configuration

If you need more information from a specific group configuration, you can change the logging level for the group.

  1. Go to Management > Group Configuration.
  2. Click the computer group name.
  3. Open the Advanced Engine Settings.
  4. Select the log level.
  5. Click Save and Deploy.

View notifications

To view system notifications, click Management > System Notifications. These notifications show non-match alerts, including when alert throttling is enabled on the Detect service or any endpoints. To delete a notification, select the row and click Delete.

Get Detect tools status

You can use Tanium™ Interact, or a saved question, to ask Get Detect Tools Status from all machines.

The results returned are divided by operating system, Detect version, and the endpoints that do not have the tools installed. The Detect tools status is evaluated when the Detect service restarts or is updated.

For more information, see Tanium Interact User Guide: Asking questions.

Verify the Trace version

Integration with Trace is required to use signals as intel. For more information about Trace requirements with Detect, see Tanium dependencies. The endpoints must be initialized.

Ask the question:  Get Tanium Trace Status from all machines.

For more information, see the Tanium Trace User Guide.

Update the service settings

You might need to change how often the Detect service communicates with the endpoints, gathers information for reporting, or to throttle Detect behavior.

  1. From the Detect home page, click Settings .
  2. Change the settings as needed for your environment.
  3. Click Update Settings.

Tune alert throttling

You can adjust the throttling settings to control how many alerts you are getting on the endpoint or from the Detect service. Both endpoint and service alert throttling are enabled by default.

Configure throttling for signal alerts on endpoints

You can configure throttling of signal alerts on the endpoint when you create a group configuration. By default, signal alert throttling on an endpoint is enabled and occurs when five events on a single piece of intel occur within five minutes.

  1. Go to Management > Group Configuration. Select a computer group.
  2. In the Advanced Engine Settings section, update the settings for signal throttling.
  3. Click Save and Deploy to publish the tools and configuration information to the endpoints.
  4. If signal alert throttling occurs, you will see notifications about the event and the endpoint that has throttling enabled on the Management > System Notifications page.

Configure match alert throttling on the Detect service

You can configure match alert throttling on the Detect service. This service-level throttling can apply for quick scan alerts and all types of intel. By default, match alert throttling is enabled and occurs when 100 events on a single piece of intel occur within 20 minutes.

  1. From the Detect home page, click Settings .
  2. Edit the settings for match throttling. You can adjust when throttling occurs, and adjust the cooloff period, which controls how long alerts continue to be throttled.
  3. Click Update Settings.
  4. If alert throttling occurs on the Detects service, you will see notifications that throttling is enabled on the Management > System Notifications page.



Refresh Detect stats information

You can update the latest information about Detect and the objects created by Detect.

  1. From the Detect home page, click Information .
  2. Click Reload.

Configure the Detect Engine manually

Though you can change most Detect settings within the advanced settings of a group configuration, you might need to manually run scripts from the Tanium™ Client directory on the endpoint to edit the engine configuration.

  • get-config provides all of the available options and their current values.
  • set-config changes the value or clears it, returning to the default behavior.

You can also find more information about engine configuration options in the Evaluation Engine documentation. From the Detect home page, click Help , then click the Evaluation Engine tab.

Complete a manual backup and restore

You can create a backup or restore a backup to an existing Detect configuration. For example, you might use a backup when you are moving from a testing to production environment.

  1. On the Tanium™ Module Server, stop the Detect service.
  2. On the source Module Server host computer, copy the logs and data directories.
    • For version 2.5.x and earlier, go to Program Files\Tanium\Tanium Module Server\services\detect.
    • For version 3.x and later, go to Program Files\Tanium\Tanium Module Server\services\detect3-files.
  3. On the target Module Server host computer, paste these items into another Detect installation to restore the state.
  4. Restart the Detect service.

Uninstall Detect

In certain situations, you might need to remove Detect from the Module Server for troubleshooting purposes.

Use the Tanium Console to uninstall. Do not use the host machine add/remove programs feature unless advised by a TAM.

  1. From the Main Menu, click Tanium Solutions.
  2. Locate Detect, and then click Uninstall.

    The Uninstall window opens, showing the list of contents to be removed.

  3. Click Proceed with Uninstall.
  4. Enter your password to start the uninstall process.

    A progress bar is displayed as the installation package is removed.

  5. Click Close.
  6. To confirm, return to the Tanium Solutions page and check that the Import button is available.

    If the Detect module has not updated in the console, refresh your browser.

Last updated: 6/19/2018 10:33 AM | Feedback