Troubleshooting Impact
Tanium Cloud is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium Cloud Deployment Guide: Troubleshooting Tanium Cloud.
To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.
Collect logs
The information is saved as a ZIP file that you can download with your browser. The ZIP file contains the following files:
- must-gather.log: Entries for each file that was collected and included in the support package zip file.
-
version.json: Version number of Impact at the time the support package was collected.
impact.db: All data displayed in the Impact UI, including data synchronized from Active Directory, such as Users, Groups, and Computer objects, along with a subset of their attributes.
- impact-domain-config.db : Active Directory domain configuration information, including the LDAP URL, user, and certificate.
-
impact-sync-events.db: Status of each sync after Impact was installed.
- Service log: Entries for Impact events, including sync process errors. Available in json and plain text formats.
- From the Impact Overview page, click Help
, then the Troubleshooting tab.
- Click Download Support Package.
A impact-support.[timestamp].zip file downloads to the local download directory. - Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.
Troubleshoot satellite synchronization
If satellite synchronization is not working as expected, go to the Impact Overview page, click Settings > Sync Settings, and check for error messages. The following table lists contributing factors into satellite synchronization issues and corrective actions you can make.
Contributing factor or error message | Corrective action |
---|---|
Message on the Sync Settings tab: A domain does not use TLS. Update the domain connection to use TLS. | Edit the domain connection to use TLS. See Configure connections to domains. |
One of the following messages on the Sync Settings tab:
|
Confirm that Direct Connect can connect to the satellite. See Tanium Direct Connect User Guide: Troubleshoot endpoint connection issues. |
Message on the Sync Settings tab: Selected satellites must be Windows endpoints. Select only Windows satellites. | In the Satellite list on the Sync Settings tab, refer to the Operating System column and select a Windows satellite. |
Message on the Sync Settings tab: A satellite does not have the latest version of Direct Connect. Deploy the latest version of Direct Connect to the satellites. |
|
Message on the Sync Settings tab: An error occurred saving sync settings. Try again. | Try again. If that does not work, see Contact Tanium Support. |
Connection issues between the satellite and the Active Directory server. |
See the following Microsoft Documentation articles:
|
Troubleshoot unresolved SIDs
If the domain for an endpoint is not configured in Impact, you might see assets with an [unresolved] state.
- To determine which domains are not configured, mouse over the [unresolved] asset to view the security identifier (SID).
The SID issuing authority, also known as the domain SID, is the portion of the SID before the RID (relative identifier, the digits after the last dash).
- In Interact, ask the question Get Impact - Computer Domain SID and AD Domain from all machines with Domain Member contains true and compare the results to the SID shown for the [unresolved] asset.
In the question results, find the SID that is associated with the [unresolved] assets in Impact.
- The AD Domain column of the question results shows the name of the domain for which Impact could not resolve assets.
- Verify the domain is configured in Impact. For more information, see Configure connections to domainsConfigure connections to domains.
- Verify that the specified account has sufficient permissions. For more information, see Active Directory user account.
- After all domains are configured and permissions are validated, verify that a successful data collection and sync completes. You can see the latest status in the Activity section of the Impact Overview page.
Monitor and troubleshoot Impact Coverage
The following table lists contributing factors into why the Impact coverage metric might report endpoints as Needs Attention or Unsupported, and corrective actions you can make.
Contributing factor | Corrective action |
---|---|
Domain is not configured properly |
|
Python tools are not installed |
|
Identify and resolve issues with client extensions
Use the following steps to troubleshoot issues with the client extensions that Impact installs and uses. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.
To review the client extensions that Impact installs and uses, see Client extensions.
-
To review the health of client extensions or to start an investigation into an existing error, ask a question using the Client Extensions - Status or Impact - Tools Version sensor.
The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Filter the results and drill down as necessary to investigate results that indicate errors.
Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.
-
Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Remove Impact tools from endpoints and Endpoint Configuration User Guide: Uninstall a tool installed by Endpoint Configuration.
When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.
Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.
- Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:
Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Impact from all machines with Endpoint Configuration - Tools Status:Tool Name contains Impact
Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:
Error Condition Possible Resolution No error appears, but an available new version has not been installed Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the Endpoint Configuration manifest has not updated on the endpoint, usually for one of the following reasons:
- The manifest update is still pending. Either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest.
- Impact is no longer installed, or it is no longer targeting the endpoint. In some cases, Impact might stop targeting an endpoint because it no longer needs the endpoint for a particular workload. Consider whether Impact should still target the endpoint:
- If it is expected or intentional that Impact no longer targets the endpoint, you can optionally uninstall Impact tools and dependencies: see Remove Impact tools from endpoints.
- If Impact should still target the endpoint, make sure that the Impact action group includes the endpoint, and make sure Impact targets the endpoint in any expected configurations or profiles. Then, either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest.
Installation Blocker:Unmet Dependencies: [Tool name] If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column. Failing Dependency:[Tool name] Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name]
Investigate further errors with the tool.
Manually Blocked:blocked The tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint. -
Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.
For additional help,
Review the Extensions log for an endpoint
Use Client Management to directly connect to an endpoint and view and download extension logs.
-
From the Main menu, go to Administration > Shared Services > Client Management.
-
From the Client Management menu, click Client Health.
-
In the Direct Connect search box, enter all or part of an IP address or a computer name.
Matching results are displayed after the search completes.
- From the search results, click the computer name to connect to the endpoint.
-
Click the Logs tab, and select an extensions[#].log file.
- (Optional) To download the log, click Download.
For additional help,
Remove Impact tools from endpoints
You can deploy an action to remove Impact tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.
- In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true - In the results, select the row for Impact, drill down as necessary, and select the targets from which you want to remove Impact tools. For more information, see Tanium Interact User Guide: Drill Down.
- Click Deploy Action.
- For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
-
For Tool Name, select Impact.
-
(Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.
If reinstallation is blocked, you must unblock it manually:
-
To allow Impact to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).
-
If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.
-
-
(Optional) To remove all Impact databases and logs from the endpoints, clear the selection for Soft uninstall.
When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.
-
(Optional) To also remove any tools that were dependencies of the Impact tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.
-
(Optional) In the Deployment Schedule section, configure a schedule for the action.
If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.
- Click Show preview to continue.
-
A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.
If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.
Uninstall Impact
- From the Main menu, click Administration > Configuration > Solutions.
- In the Impact section, click Uninstall.
- Review the content that will be removed and click Uninstall.
- Depending on your configuration, enter your password or click Yes to start the uninstall process.
- Return to the Solutions page and verify that the Import button is available for Impact.
The uninstall process does not remove the Impact action group. If you are sure that this action group is not used by another solution, you can manually remove it. If you uninstall Impact, do not remove the computer group, and later reinstall Impact, the action group target remains set to the original computer group.
Contact Tanium Support
To contact Tanium Support for help, sign in to https://support.tanium.com.
Last updated: 5/10/2022 1:06 PM | Feedback