To collect and send information to Tanium for troubleshooting, collect
The information is saved as a compressed ZIP file that you can download with your browser.
- From the Discover Overview page, click Help , then the Troubleshooting tab.
- Click Collect. When the ZIP file is ready, click Download.
A discover-support.[timestamp].zip file downloads to the local download directory.
- Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.
Tanium Discover maintains logging information in the discover.log file in the <Module Server>/services/discover-service-files/discover.log directory.
You might want to see the ranges that are scanned before you run discovery, or to troubleshoot discovery that has already run. To see the calculated gaps between the managed interfaces, use the Discover Scan Range and Discover Scan Range - Unix sensors. The Discover Scan Range - Unix sensor is for the Solaris and AIX platforms.
For example, you might use the question: Get Computer Name and Operating System and Tanium Client IP Address and Discover Scan Range and Discover Scan Range - Unix from all machines. The results display the range between each of the managed endpoints and its forward and backward peers.
To return results, Discover tools must be distributed to the endpoints. If you do not see results:
- Check the configuration of the Discover action group. See Configure Discover action group.
- Check the status of the Discover action group. From the Main menu, go to Administration > Actions > Scheduled Actions.
You might find that some endpoints are not scanning. For example, the question: Get Discover Last Scan Range from all machines returns [no results].
Try adjusting the Start at time of the scheduled action to a few minutes after the Opening Time of the configured scan window in the profile.
- Get the start time of the start window for your profile. From the Discover menu, click Profiles. Hover over the profile_name and click Edit . In the Scan Window section, note the value of the Opening Time setting.
- From the Main menu, go to Console > Actions > Scheduled Actions. Click the Tanium Discover action group.
- Select the scheduled action that is associated with the profile. Choose Discover Content - Execute Scan [profile_name] or Discover Content - Execute Scan for non-Windows [profile_name]. Click Edit.
- Edit the Start at time to start a few minutes after the Opening Time you found in your profile.
If you see Error: Network specified for a parent. Networks can only be specified at the lowest level of the hierarchy. in the workbench and are unable to import the locations file, confirm that each row in the CSV file specifies a unique location in the hierarchy.
For example, consider the following CSV file:
Think of the hierarchy specified in the CSV file as a tree, and each row is a branch. Line 1 creates a United States branch with a sub-branch for Michigan. Line 8 creates a France branch. Line 11 creates a branch for Germany and a sub-branch for Berlin.
Line 13 creates the error because it does not end in a unique place in the hierarchy. Line 11 creates the Germany branch and line 13 only specifies Germany. Line 13 ends in a location that is already created. If line 13 specified another German state, like line 14 does, then line 13 would not create an error.
If you compare the number of managed interfaces in Discover, you might notice that the number is often higher than the number of Tanium Clients that are reported on the System Status page.
This disparity is expected. Interfaces are unique MAC addresses. One Tanium Client with multiple network interface controllers (NICs) displays as multiple interfaces in Discover. Virtualization software can increase the number of interfaces reported for a computer, if the computer has multiple virtual machines running.
The following table lists contributing factors into why the Endpoints Managed (%) metric might be lower than expected, and corrective actions you can make.
|Contributing factor||Corrective action|
|Installation Method Gap||
|Credential Gaps||Use of any of the Tanium-provided installation methods involves using credentials to access the systems. Work with various management teams and deployment teams to understand what credentials are available to do installations on systems. Work with server or workstation support teams to understand these areas.|
|Network Gaps||Installing clients on "protected" networks such as DMZs or other sensitive areas is often a problem. These issues are technical, but the technical hurdles are generally an issue with policies and permissions. Work with the correct stakeholders to understand how Tanium will be used in the environment. Negotiate restrictions to be lessened to allow installation of Tanium Clients in these protected networks.|
The following table lists contributing factors into why the Mean Time to Managed metric might be higher than expected, and corrective actions you can make.
|Contributing factor||Corrective action|
|No automation||Tanium Discover can find clients, but with no action, a project can stall. Automating installation with Discover labels to target installation with Tanium Client Management is key. Take the human interaction out when possible, or build a workflow around Discover labels when items are found to feed into Tanium Connect and create help desk tickets or simple email lists.|
|Non-optimized Discovery settings||
Often various regions have different support structures in the larger enterprise. Understanding what systems belong to these regions is key to providing the guidance to the owning team they need to help install. Use locations to export or visualize data. See this three-part article:
|Understand your environment||Proper deployment sometimes requires understanding what is working and what is not working. With the data grids and graphs in Discover, you have a real-time view the environment. With a high level view over time, you can understand how deployments are working and cross-pollinate various ideas that work across a larger group. To get a high level view, use the Discover boards in Tanium Trends: Tanium Community article: Use Trends to visualize Discover interfaces over time.|
You can deploy an action to remove Discover tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.
- In Interact, target the computers from which you want to remove the tools. For example, ask a question that targets a specific operating system:
Get Endpoint Configuration - Tools Status from all machines with Is <OS> equals True , for example:
Get Endpoint Configuration - Tools Status from all machines with Is Windows equals True
- In the results, select the row for Discover, drill down as necessary, and select the targets from which you want to remove Discover tools. For more information, see Tanium Interact User Guide: Managing question results.
- Click Deploy Action.
- On the Deploy Action page, enter Endpoint Configuration - Uninstall in the Enter package name here box, and select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
For Tool Name, select Discover.
(Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.
If reinstallation is blocked on an endpoint, you must deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints) before the tools can be reinstalled.
(Optional) To remove all Discover databases and logs from the endpoints, clear the selection for Soft uninstall.
(Optional) To also remove any tools that were dependencies of the Discover tools that are not dependencies for tools from other modules, select Remove unreferenced dependencies.
- Click Show preview to continue.
A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.
If you have enabled Endpoint Configuration, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.
- From the Main menu, go to Administration > Configuration > Solutions. Under Discover, click Uninstall. Click Proceed with Uninstall to complete the process.
Delete any remaining Discover-related scheduled actions and action groups. For more information, see Tanium Console User Guide: Delete an action group.
- Check for Discover artifacts on your endpoints. Ask the question: Get Has Discover Artifacts = "true" from all machines. If any endpoints are returned by this question and you want to clean the artifacts off the endpoint, contact Tanium Support. For more information, see Contact Tanium Support.
- Check for Discover plugin schedules. From the Main menu, go to Administration > Configuration > Common > Plugin Schedules. If plugin schedules exist for Discover, contact Tanium Support.
To contact Tanium Support for help, sign into https://support.tanium.com.
Last updated: 3/3/2021 10:07 AM | Feedback