Troubleshooting Endpoint Configuration
The information is saved as ZIP files that you can download with your browser.
To download logs:
- From the Endpoint ConfigurationOverview page, click Help .
- From the Troubleshooting tab, select the solutions for which to gather troubleshooting packages and click Create Packages.
By default, all solutions are selected.
- When the packages are ready, click Download Support Bundle.
ZIP files of all the selected packages download to the local download directory.
Some browsers might block multiple downloads by default. Make sure to configure your browser to permit multiple downloads from the Tanium Console.
- Contact Tanium Support to determine the best option to send the ZIP files. For information, see Contact Tanium Support.
Tanium Endpoint Configuration maintains logging information in the Endpoint Configuration.log file in the \Program Files\Tanium\Tanium Module Server\services\Endpoint Configuration directory.
Endpoint Configuration maintains logging information in the tanium-config.log file in the <Module Server>/services/endpoint-configuration-files directory.
You might become aware of issues with endpoint tools or client extensions through solution-specific errors or through Overview pages for modules or shared services that indicate endpoints that need attention.
Use the following steps to troubleshoot issues with endpoint tools or client extensions. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.
To actively review the health of endpoint tools and client extensions or to start an investigation into an existing error, ask a question using the Endpoint Configuration - Tools Status, Client Extensions - Status, or [Module] - Tools Version sensor.
The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Drill down as necessary to investigate results that indicate errors.
Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.
Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Troubleshooting Endpoint Configuration.
When you perform a hard uninstallation of some tools,
such as Recorder or Index,the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data , such as recorded events (in the case of Recorder) or file indexes (in the case of Index). If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool. To help determine what data a tool stores on endpoints, go to https://docs.tanium.com/ and review the documentation for the tool or for the Tanium solution that installed it, and contact Tanium Support for additional help.
Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.
- Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:
Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Deploy from all machines with Endpoint Configuration - Tools Status:Tool Name contains Deploy
Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:
Error Condition Possible Resolution No error appears, but an available new version has not been installed
Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the manifest has not updated on the endpoint, usually for one of the following reasons:
- The manifest update is still pending. Either wait for the manifest to update and then review the results again, or follow the steps in Verify and manually update the Endpoint Configuration manifest.
- Action lock is enabled on the endpoint. Follow the steps in Verify and manually update the Endpoint Configuration manifest to identify endpoints with action lock turned on.
- The solution that installs the tool is no longer installed, or it is no longer targeting the endpoint. In some cases, a solution might stop targeting an endpoint because it no longer needs the endpoint for a particular workload. For example, if an endpoint is being used in a level 4 distributed scan in Discover, and peer endpoints appear with adjacent IP addresses, Discover no longer needs the original endpoint for the level 4 scan and no longer targets it. Consider whether the solution that installs the tool should still target the endpoint:
- If it is expected or intentional that the solution no longer targets the endpoint, you can optionally uninstall the tool: see Troubleshooting Endpoint Configuration.
- If the solution should still target the endpoint, make sure that the action group for the solution that installs the tool includes the endpoint, and make sure the solution targets the endpoint in any expected configurations or profiles. Then, either wait for the manifest to update and then review the results again, or follow the steps in Verify and manually update the Endpoint Configuration manifest.
Installation Blocker: Unmet Dependencies: [Tool name] If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column. Failing Dependency: [Tool name]
Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name]
Investigate further errors with the tool.
If the dependency has not been installed on an endpoint, ask the question: Get Endpoint Configuration - Tools Retry Status from all machines with Computer Name equals Computer_Name to review the retry status for the tool installation. For more information, see Review tool installations that are scheduled for a retry.
Manually Blocked: blocked The tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Troubleshooting Endpoint Configuration.
Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.
For additional help,
Check the manifest revision
in Tanium Cloud on the Tanium Server
From the Endpoint Configuration menu, go to Overview.
In Interact, ask the question: Get Endpoint Configuration - Manifest Metadata?maxAge=60 and Action Lock Status from all machines
Optionally add filters to the question to check the manifest revision on specific endpoints.
Use the maxAge=60 option for this question to return the latest results that are available.
Review the Revision column and note versions that are different from the manifest
in Tanium Cloud on the server. Drill down as necessary.
Sort the Question Results grid by Revision to list the versions in descending numerical order, which makes it easier to identify endpoints with an earlier manifest version.
If the Action Lock Status column indicates that action lock is on for any endpoints that do not have the latest manifest:
Consult whoever turned on the action locks to verify that it is now safe to run actions on those endpoints.
Perform one of the following tasks:
Disable action locks on the endpoints that require an updated manifest. See Tanium Console User Guide: Turn off action locks.
Manually update the manifest on endpoints
Ask a question to target endpoints that require a manifest update, or start from the results that the steps in Check the manifest version on endpoints returned.
- Select the results for the endpoints you want to target, and click Deploy Action.
For the Deployment Package, select Endpoint Configuration - Manifest [Windows] or Endpoint Configuration - Manifest [Non-Windows], depending on the endpoints you are targeting.
- Click Show preview to continue
A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.
If the manifest update fails, investigate environmental factors, such as security exclusions, file locks, CPU usage, RAM usage, and disk failures. For additional help, contact Tanium Support.
Use Client Management to directly connect to an endpoint and view and download extension logs.
From the Main menu, go to Administration > Shared Services > Client Management.
From the Client Management menu, click Client Health.
In the Direct Connect search box, enter all or part of an IP address or a computer name.
Matching results are displayed after the search completes.
- From the search results, click the computer name to connect to the endpoint.
Click the Logs tab, and select an extensions[#].log file.
- (Optional) To download the log, click Download.
For additional help,
Uninstalling Endpoint Configuration affects all Tanium solutions. Contact Tanium support before you uninstall Endpoint Configuration.
Endpoint Configuration is uninstalled with Client Management. For more information, see Uninstall Client Management.
To contact Tanium Support for help, send an email to [email protected].
Last updated: 1/30/2023 4:46 PM | Feedback