Troubleshooting Discover

If Discover is not performing as expected, you might need to troubleshoot issues or change some settings. To send information to Tanium for troubleshooting, collect log and other relevant information.

Collect troubleshooting information from endpoints

You can use Client Management to directly connect to an endpoint and collect a bundle of logs and other artifacts, sometimes referred to as an Endpoint Must Gather (EMG).

1. From the Main menu, click Administration > Shared Services > Client Management.

2. From the Client Management menu, click Client Health.

3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

   Matching results are displayed after the search completes.

4. From the search results, click the computer name to connect to the endpoint.

5. Click the Gather tab. In the Domain section, select the category or Tanium Solution for which you want to gather troubleshooting information.

6. Click Gather from Endpoint.

   The selected logs and artifacts are gathered from the endpoint. The package appears in the Must Gathers section, and the name of the package corresponds with its time stamp.

7. When Finished appears in the Run State column, select the package and click Download to download a ZIP file that contains the troubleshooting information.

For more information about connecting directly to endpoints, see Tanium Direct Connect User Guide.

For more information about using client health features in Client Management, see Tanium Client Management User Guide: Monitor the client health overview in Client Management and Tanium Client Management User Guide: Access detailed client health and troubleshooting information on an endpoint.

Identify and resolve issues with client extensions

Use the following steps to troubleshoot issues with the client extensions that Discover installs and uses. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.

To review the client extensions that Discover installs and uses, see Client extensions.

1. To review the health of client extensions or to start an investigation into an existing error, ask a question using the Client Extensions - Status or Discover - Tools Version sensor.

   The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Filter the results and drill down as necessary to investigate results that indicate errors.

   Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.

2. Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Remove Discover tools from endpoints and Endpoint Configuration User Guide: Uninstall a tool installed by Endpoint Configuration.

   When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

   Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.

3. Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:

   Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Discover from all machines with Endpoint Configuration - Tools Status:Tool Name contains Discover

   Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:

   Error Condition	Possible Resolution
   No error appears, but an available new version has not been installed	Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the Endpoint Configuration manifest has not updated on the endpoint, usually for one of the following reasons: The manifest update is still pending. Either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest. Action lock is enabled on the endpoint. Follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest to identify endpoints with action lock turned on. Discover is no longer installed, or it is no longer targeting the endpoint. In some cases, Discover might stop targeting an endpoint because it no longer needs the endpoint for a particular workload. For example, if an endpoint is being used in a level 4 distributed scan, and peer endpoints appear with adjacent IP addresses, Discover no longer needs the original endpoint for the level 4 scan and no longer targets it. Consider whether Discover should still target the endpoint: If it is expected or intentional that Discover no longer targets the endpoint, you can optionally uninstall Discover tools and dependencies: see Remove Discover tools from endpoints. If Discover should still target the endpoint, make sure that the Discover action group includes the endpoint, and make sure Discover targets the endpoint in any expected configurations or profiles. Then, either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest.
   Installation Blocker:Unmet Dependencies: [Tool name]	If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column.
   Failing Dependency:[Tool name]	Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name] Investigate further errors with the tool. If the dependency has not been installed on an endpoint, ask the question: Get Endpoint Configuration - Tools Retry Status from all machines with Computer Name equals Computer_Name to review the retry status for the tool installation. For more information, see Endpoint Configuration User Guide: Review tool installations that are scheduled for a retry.
   Manually Blocked:blocked	The tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint.

4. Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.

For additional help, collect all logs for Tanium Discover, and contact Tanium Support.

Review the Extensions log for an endpoint

Use Client Management to directly connect to an endpoint and view and download extension logs.

1. From the Main menu, go to Administration > Shared Services > Client Management.

2. From the Client Management menu, click Client Health.

3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

   Matching results are displayed after the search completes.

4. From the search results, click the computer name to connect to the endpoint.

5. Click the Logs tab, and select an extensions[#].log file.

6. (Optional) To download the log, click Download.

For additional help, collect all logs for Tanium Discover, and contact Tanium Support.

View Discover scan ranges

You might want to see the ranges that are scanned before you run discovery, or to troubleshoot discovery that has already run. To see the calculated gaps between the managed interfaces, use the Discover Scan Range and Discover Scan Range - Unix sensors. The Discover Scan Range - Unix sensor is for the Solaris and AIX platforms.

For example, you might use the question: Get Computer Name and Operating System and Tanium Client IP Address and Discover Scan Range and Discover Scan Range - Unix from all machines. The results display the range between each of the managed endpoints and its forward and backward peers.

Problem: No results from running a scan

To return results, Discover tools must be distributed to the endpoints. If you do not see results:

• Check the configuration of the Discover action group. See Installing Discover.
• Check the status of the Discover action group. From the Main menu, go to Administration > Actions > Scheduled Actions.

Problem: Some endpoints are not scanning

You might find that some endpoints are not scanning. For example, the question: Get Discover Last Scan Range from all machines returns [no results].

Try adjusting the Start at time of the scheduled action to a few minutes after the Opening Time of the configured scan window in the profile.

1. Get the start time of the start window for your profile. From the Discover menu, click Profiles. Hover over the profile_name and click Edit . In the Scan Window section, note the value of the Opening Time setting.
2. From the Main menu, go to Console > Actions > Scheduled Actions. Click the Tanium Discover action group.
3. Select the scheduled action that is associated with the profile. Choose Discover Content - Execute Scan [profile_name] or Discover Content - Execute Scan for non-Windows [profile_name]. Click Edit.
4. Edit the Start at time to start a few minutes after the Opening Time you found in your profile.

Discover cannot perform satellite or distributed scans on endpoints with actions locks turned on. See Tanium Console User Guide: Managing action locks.

Problem: Error with locations CSV file

If you see Error: Network specified for a parent. Networks can only be specified at the lowest level of the hierarchy. in the workbench and are unable to import the locations file, confirm that each row in the CSV file specifies a unique location in the hierarchy.

For example, consider the following CSV file:

Think of the hierarchy specified in the CSV file as a tree, and each row is a branch. Line 1 creates a United States branch with a sub-branch for Michigan. Line 8 creates a France branch. Line 11 creates a branch for Germany and a sub-branch for Berlin.

Line 13 creates the error because it does not end in a unique place in the hierarchy. Line 11 creates the Germany branch and line 13 only specifies Germany. Line 13 ends in a location that is already created. If line 13 specified another German state, like line 14 does, then line 13 would not create an error.

Problem: Needs deployment profile status

This warning indicates there is a profile mismatch between the Tanium Server and the Tanium Client. Contact support for assistance.

To contact Tanium Support for help, sign in to https://support.tanium.com.

FAQ: Why is the number of managed interfaces higher than the client status?

If you compare the number of managed interfaces in Discover, you might notice that the number is often higher than the number of Tanium Clients that are reported on the Client Status page.

This disparity is expected. Interfaces are unique MAC addresses. One Tanium Client with multiple network interface controllers (NICs) displays as multiple interfaces in Discover. Virtualization software can increase the number of interfaces reported for a computer, if the computer has multiple virtual machines running.

You can also view the Environment Status section in the Tanium Console to view the discrepancy between the number of managed interfaces and the Total Endpoints.

Remove Npcap from endpoints

You can deploy an action to remove Npcap from an endpoint or computer group.

1. In Interact, target the computers from which you want to remove Npcap.

   • For computers with Npcap installed using Discover 4.3 or later, ask a targeting question:

     Get Endpoint Configuration - Tools Status from all machines with Is Windows equals True
     

   • For all other computers with Npcap installed or if you are not sure how Npcap was installed, ask a targeting question:

     Get Discover - Installed Npcap Version from all machines
     

2. In the results, select Npcap (if using the Endpoint Configuration package) or the versions (if using the Discover package), and select the targets from which you want to remove Npcap. For more information, see Tanium Interact User Guide: Managing question results.
   
3. Click Deploy Action.

4. On the Deploy Action page, select the package:

   • If using the Endpoint Configuration package, do the following:

     1. Enter Endpoint Configuration - Uninstall in the Deployment Package box, and select Endpoint Configuration - Uninstall Tool [Windows].

     2. For Tool Name, select Npcap.

     3. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

   • If using the Discover package, do the following:

     1. Enter Discover - Uninstall Npcap in the Deployment Package box.

     2. (Optional) By default, the package only uninstalls Tanium-installed versions of Npcap. To uninstall all installations of Npcap, select Remove Any Npcap Version.

5. Click Show preview to continue.

6. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

Remove Discover tools from Windows and Linux endpoints

You can deploy an action to remove Discover tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
   Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
2. In the results, select the row for Discover, drill down as necessary, and select the targets from which you want to remove Discover tools. For more information, see Tanium Interact User Guide: Drill Down.
   
3. Click Deploy Action.
4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.

5. For Tool Name, select Discover.

6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

   If reinstallation is blocked, you must unblock it manually:

   • To allow Discover to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

   • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

7. (Optional) To remove all Discover databases and logs from the endpoints, clear the selection for Soft uninstall.

   When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

8. (Optional) To also remove any tools that were dependencies of the Discover tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

   If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

10. Click Show preview to continue.

11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.