Troubleshooting Impact

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Collect logs

Upgrade Impact

Impact 2.0 or later requires the installation of Tanium Directory Query and Tanium Criticality. Additionally, you must install Directory Query first, followed by Criticality, and then Impact, in that order.

In Impact 2.0 or later, the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. Additionally, the Impact database is migrated to RDB in this release. Consequently, after upgrading to Impact 2.0 or later, it might take time for the database migration to complete and for RBAC privileges and other updates to sync properly. This migration could lead to issues and error messages when you first query the Tanium Console. These issues should resolve on their own after a few minutes, but could take up to an hour or longer depending on system resources and the amount of data to migrate.

Troubleshoot unresolved SIDs

If the domain for an endpoint is not configured in Directory Query, you might see assets on the Sync Warnings page with unresolved SIDs.

1. From the Main menu, go to Impact > Sync Warnings.
2. For each asset with an unresolved SID type, click Interact to view more information about the asset.
3. The AD Domain column of the question results shows the name of the domain for which Impact could not resolve assets.
4. Verify the domain is configured in Directory Query. For more information, see Tanium Directory Query User Guide: Managing connections to directory servers.
5. Verify that the specified account has sufficient permissions. For more information, see Impact requirementsTanium Directory Query User Guide: Active Directory user account.
6. After all domains are configured and permissions are validated, verify that a successful data collection and sync completes. You can see the latest status in the Activity section of the Impact Overview page.

   Run a sync in Tanium Criticality before running a sync in Impact.

Monitor and troubleshoot Impact Coverage

The following table lists contributing factors into why the Impact coverage metric might report endpoints as Needs Attention or Unsupported, and corrective actions you can make.

Contributing factor	Corrective action
Domain is not configured properly	Impact only includes data from endpoints for which the domain controller can be reached. Ensure that the domain is configured correctly in the Domains configuration in the Impact settings, and that all of your domains are covered and configured correctly. In the Domains configuration, verify all domain connections. The verification process includes a network connection test and verifies the provided credentials. Make sure the provided account has permissions to read Active Directory information.
Python tools are not installed	The Impact sensors are written in Python and require the Tanium Python Tools to be deployed to the endpoints. Verify that all endpoints have the latest version of the Tanium Python Tools installed using the following sensor: Get Python - Tools Version from all machines with Operating System contains windows Deploy the Distribute Python - Tools [Windows] package to any endpoints that return Windows Package Required.

Identify and resolve issues with client extensions

Use the following steps to troubleshoot issues with the client extensions that Impact installs and uses. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.

To review the client extensions that Impact installs and uses, see Client extensions.

1. To review the health of client extensions or to start an investigation into an existing error, ask a question using the Client Extensions - Status or Impact - Tools Version sensor.

   The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Filter the results and drill down as necessary to investigate results that indicate errors.

   Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.

2. Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Remove Impact tools from endpoints and Endpoint Configuration User Guide: Uninstall a tool installed by Endpoint Configuration.

   When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

   Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.

3. Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:

   Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Impact from all machines with Endpoint Configuration - Tools Status:Tool Name contains Impact

   Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:

   Error Condition	Possible Resolution
   No error appears, but an available new version has not been installed	Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the Endpoint Configuration manifest has not updated on the endpoint, usually for one of the following reasons: The manifest update is still pending. Either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest. Action lock is enabled on the endpoint. Follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest to identify endpoints with action lock turned on. Impact is no longer installed, or it is no longer targeting the endpoint. In some cases, Impact might stop targeting an endpoint because it no longer needs the endpoint for a particular workload. Consider whether Impact should still target the endpoint: If it is expected or intentional that Impact no longer targets the endpoint, you can optionally uninstall Impact tools and dependencies: see Remove Impact tools from endpoints. If Impact should still target the endpoint, make sure that the Impact action group includes the endpoint, and make sure Impact targets the endpoint in any expected configurations or profiles. Then, either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest.
   Installation Blocker:Unmet Dependencies: [Tool name]	If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column.
   Failing Dependency:[Tool name]	Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name] Investigate further errors with the tool. If the dependency has not been installed on an endpoint, ask the question: Get Endpoint Configuration - Tools Retry Status from all machines with Computer Name equals Computer_Name to review the retry status for the tool installation. For more information, see Endpoint Configuration User Guide: Review tool installations that are scheduled for a retry.
   Manually Blocked:blocked	The tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint.

4. Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.

For additional help, collect all logs for Impact, and contact Tanium Support.

Review the Extensions log for an endpoint

Use Client Management to directly connect to an endpoint and view and download extension logs.

1. From the Main menu, go to Administration > Shared Services > Client Management.

2. From the Client Management menu, click Client Health.

3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

   Matching results are displayed after the search completes.

4. From the search results, click the computer name to connect to the endpoint.

5. Click the Logs tab, and select an extensions[#].log file.

6. (Optional) To download the log, click Download.

For additional help, collect all logs for Impact, and contact Tanium Support.

Remove Impact tools from endpoints

You can deploy an action to remove Impact tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
   Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
2. In the results, select the row for Impact, drill down as necessary, and select the targets from which you want to remove Impact tools. For more information, see Tanium Interact User Guide: Drill Down.
   
3. Click Deploy Action.
4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.

5. For Tool Name, select Impact.

6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

   If reinstallation is blocked, you must unblock it manually:

   • To allow Impact to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

   • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

7. (Optional) To remove all Impact databases and logs from the endpoints, clear the selection for Soft uninstall.

   When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

8. (Optional) To also remove any tools that were dependencies of the Impact tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

   If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

10. Click Show preview to continue.

11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Impact

1. From the Main menu, click Administration > Configuration > Solutions.
2. In the Impact section, click Uninstall.
3. Review the content that will be removed and click Uninstall.
4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
5. Return to the Solutions page and verify that the Import button is available for Impact.

The uninstall process does not remove the Impact action group. If you are sure that this action group is not used by another solution, you can manually remove it. If you uninstall Impact, do not remove the computer group, and later reinstall Impact, the action group target remains set to the original computer group.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.