Reference: Common health check issues

Review common Client Index Extension health check issues and possible solutions.

Exception trying to start scan. Check extensions log.

Cause

This health check appears when Client Index Extension cannot start scanning. When this health check displays, it is not possible to receive data from Client Index Extension. This health check is cleared on client reset, after 4 hours.

Modules where this health check occurs

This health check can occur in Integrity Monitor, Reveal, and Threat Response.

Solution

To troubleshoot this health check, search the extensions log for "exception trying to start scan" to identify the cause of the error. To contact Tanium Support for help, send an email to [email protected].

Scan completion took longer than configured scan interval. Maybe under spec or subscription misconfigured?

Cause

This health check appears when an Index scan exceeds the configured scan interval.

Modules where this health check occurs

This health check can occur in Integrity Monitor, Reveal, and Threat Response.

Solution

Ensure that all endpoints meet the system requirements for the Client Index Extension and that the subscription is configured properly. Add exclusions in Index, change scan frequency to give more time to scan, or increase the amount of CPU allocated to client extensions. An upgrade to Tanium Client Management version 1.10 is recommended.

For Integrity Monitor: Select Integrity Monitor > All Monitors > Edit Monitor > Index Scan Frequency to increase the scan frequency in the monitor and edit the watched path (for example, C:/) and select Integrity Monitor > Watchlists > (choose watchlist with C:/) and add exclusions via regex.

For Reveal: Select Reveal > Profiles > Edit Profile > Tanium Index Subscription Settings > Tanium Index Scan Frequency to increase the scan frequency.

For Threat Response: Select Threat Response > Settings > Misc > High Priority Path Scanning for Index Configurations to increase the scan frequency,

Not all High Priority paths were successfully registered with recorder.

Cause

This health check appears when the recorder has not received the configuration of what Index should scan.

Modules where this health check occurs

This health check can occur in Threat Response.

Solution

This health check can occur when there is an error with Recorder, or one or more configuration issues. This health check can indicate a benign issue or can be indicative of a complete error. Refer to the troubleshooting documentation for Threat Response to gather logs and contact Tanium Support for help, To contact Tanium Support for help, send an email to [email protected].

Subscription has dropped journals.

Cause

This health check appears when Index is unable to send file change notifications to Integrity Monitor, because Integrity Monitor is not processing events. This health check can occur any time Index is pushing a file change notification to Integrity Monitor.

Modules where this health check occurs

This health check can occur in Integrity Monitor.

Solution

Investigate the health of IMCX. This could indicate that the recipient CX is not responding and that data is not being cleared. To contact Tanium Support for help, send an email to [email protected].

Not executing scans due to disk space health check.

Cause

This health check appears when Index is no longer indexing because the amount of disk space is below the critical threshold, which by default is 1%. This health check appears when Index receives a disk space health event from cx-core. Cx-core checks the available disk space on the endpoint once every five minutes.

Modules where this health check occurs

This health check can occur in Integrity Monitor, Reveal, and Threat Response.

Solution

Modify the value of the CX.core.DiskSpaceWarningPercent and CX.core.DiskSpaceCriticalPercent settings to a lower threshold. You cannot set these values to to 0% to disable these settings.

Dropped high priority path events from recorder.

Cause

This health check appears when Index cannot process events from recorder quickly enough, and has ignored some of those events.

Modules where this health check occurs

This health check can occur in Integrity Monitor and Threat Response.

Solution

The endpoint is overwhelmed and does not have enough resources to catch and process all the events, or the watchlist needs to be tuned to lower the volume of events coming in.