Troubleshooting Impact

Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

  1. From the Impact Overview page, click Help , then the Troubleshooting tab.
  2. Click Download Support Package.
    A impact-support.[timestamp].zip file downloads to the local download directory.
  3. Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.

Troubleshoot unresolved SIDs

If the domain for an endpoint is not configured in Impact, you might see assets with an [unresolved] state.

  1. To determine which domains are not configured, mouse over the [unresolved] asset to view the security identifier (SID).

    The SID issuing authority, also known as the domain SID, is the portion of the SID before the RID (relative identifier, the digits after the last dash).

  2. In Interact, ask the question Get Impact - Computer Domain SID and AD Domain from all machines with Domain Member contains true and compare the results to the SID shown for the [unresolved] asset.

    In the question results, find the SID that is associated with the [unresolved] assets in Impact.

  3. The AD Domain column of the question results shows the name of the domain for which Impact could not resolve assets.
  4. Verify the domain is configured in Impact. For more information, see Configure connections to domainsConfigure connections to domains.
  5. Verify that the specified account has sufficient permissions. For more information, see Active Directory user account.
  6. After all domains are configured and permissions are validated, verify that a successful data collection and sync completes. You can see the latest status in the Activity section of the Impact Overview page.

Monitor and troubleshoot Impact Coverage

The following table lists contributing factors into why the Impact coverage metric might report endpoints as Needs Attention or Unsupported, and corrective actions you can make.

Contributing factor Corrective action
Domain is not configured properly
  • Impact only includes data from endpoints for which the domain controller can be reached. Ensure that the domain is configured correctly in the Domains configuration in the Impact settings, and that all of your domains are covered and configured correctly.
  • In the Domains configuration, verify all domain connections. The verification process includes a network connection test and verifies the provided credentials.
  • Make sure the provided account has permissions to read Active Directory information.
Python tools are not installed
  • The Impact sensors are written in Python and require the Tanium Python Tools to be deployed to the endpoints.
  • Verify that all endpoints have the latest version of the Tanium Python Tools installed using the following sensor: Get Python - Tools Version from all machines with Operating System contains windows
  • Deploy the Distribute Python - Tools [Windows] package to any endpoints that return Windows Package Required.

Remove Impact tools from endpoints

You can deploy an action to remove Impact tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the computers from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is <OS> equals True , for example: 
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals True
  2. In the results, select the row for Impact, drill down as necessary, and select the targets from which you want to remove Impact tools. For more information, see Tanium Interact User Guide: Managing question results.
  3. Click Deploy Action.
  4. On the Deploy Action page, enter Endpoint Configuration - Uninstall in the Enter package name here box, and select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Impact.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked on an endpoint, you must deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints) before the tools can be reinstalled.

  7. (Optional) To remove all Impact databases and logs from the endpoints, clear the selection for Soft uninstall.

  8. (Optional) To also remove any tools that were dependencies of the Impact tools that are not dependencies for tools from other modules, select Remove unreferenced dependencies.

  9. Click Show preview to continue.
  10. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Impact

  1. From the Main menu, click Administration > Configuration > Solutions.
  2. In the Impact section, click Uninstall.
  3. Review the content that will be removed and click Uninstall.
  4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
  5. Return to the Solutions page and verify that the Import button is available for Impact.

The uninstall process does not remove the Impact action group. If you are sure that this action group is not used by another solution, you can manually remove it. If you uninstall Impact, do not remove the computer group, and later reinstall Impact, the action group target remains set to the original computer group.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.