Reference: Endpoint monitoring status errors

Standard cross-platform endpoint status error messages

The correlation engine is the process that Integrity Monitor runs on endpoints to manage events. The rules engine is the process that Integrity Monitor runs on endpoints to apply rules to events.

Correlation Engine - Error: Correlation Engine potentially hung

The correlation engine process is running but has not written to the database recently and might not be responding.

The process automatically restarts itself within ten minutes. To restart the process immediately, deploy the Integrity Monitor Endpoint Process Start [OS] action.

Correlation Engine - Error: Correlation Engine not running

The correlation engine process is enabled but is not running.

This is often a temporary state after a reboot or after deploying the Integrity Monitor - Tools OS action. The process should automatically start within ten minutes. If the problem persists, deploy the Integrity Monitor Endpoint Process Start [OS] action to start the process.

Correlation Engine - Error: Correlation Engine is disabled

The correlation engine process was manually disabled.

Deploy the Integrity Monitor Enable or Disable Endpoint Process [OS] action to re-enable the process.

Index - Error: Tanium Index is not running (This message is reported only when the monitor is using hash monitoring.)

Index is not running.

Make sure the correlation engine process is running. (It might take up to five minutes after the correlation engine process starts to start Index.) If the problem persists, Contact Tanium Support.

Recorder - Error: Tanium Driver requires system reboot

The Tanium Event Recorder Driver was installed, but the endpoint has not been restarted. Windows registry events cannot be recorded until the endpoints has been rebooted. (File event recording will continue to function normally regardless of whether the endpoint is restarted.)

Restart the endpoint to enable the Tanium Event Recorder Driver.

Recorder - Error: Recorder not installed / Install Needed: Recorder not installed (Both messages appear together.)

The Client Recorder Extension is not installed.

Deploy the Integrity Monitor - Tools [OS] action to install the recorder. For more information about working with the recorder, see Tanium Client Recorder Extension User Guide: Tanium Client Recorder Extension User Guide.

Recorder - Error: Client Recorder Extension 2.0 previously installed but is no longer installed

The Client Recorder Extension was installed but is not running or was uninstalled.

Deploy the Integrity Monitor - Tools [OS] action to reinstall the recorder. If the error still occurs, Contact Tanium Support.

Recorder - Error: System minimum requirements not met to enable features: Single CPU detected. Not loading rules (This message is reported only if you are using Recorder 2.3 or later.)

The Client Recorder Extension 2.3 and later requires a minimum of two CPUs per endpoint.

The recorder cannot be used on single-core endpoints. Deploy a monitor that is configured to use only hash monitoring to the endpoint.

Rules Engine - Error: Rules Engine potentially hung

The rules engine process has not written to the database recently and might not be responding.

The process automatically restarts itself within ten minutes. To restart the process immediately, deploy the Integrity Monitor Endpoint Process Start [OS] action.

Rules Engine - Error: Rules Engine not running

The rules engine process is enabled but is not running.

This is often a temporary state after a reboot or after deploying the Integrity Monitor - Tools OS action. The process should automatically start within ten minutes. If the problem persists, deploy the Integrity Monitor Endpoint Process Start [OS] action to start the process.

Rules Engine - Error: Rules Engine is disabled

The rules engine process was manually disabled.

Deploy the Integrity Monitor Enable or Disable Endpoint Process [OS] action to re-enable the process.

Rules Engine - Error: Rules Engine in failed state

The rules engine had an internal failure and is not performing its full function.

The process automatically restarts itself within ten minutes. To restart the process immediately, deploy the Integrity Monitor Endpoint Process Start [OS] action. If the error still occurs, Contact Tanium Support.

Standard Windows-specific endpoint status error messages

Recorder - Error: Missing "TaniumSystemMonitor" from Event Tracing sessions / Install Needed: Missing "TaniumSystemMonitor" from Event Tracing sessions (Both messages appear together.)

The recorder is not registered with Event Tracing for Windows (ETW). No events will be recorded.

Make sure that the Tanium Client is running with appropriate credentials, and restart the recorder by deploying the Recorder - Disable Recorder Extension [OS] action, followed by the Recorder - Enable Recorder Extension [OS] action.

Recorder - Error: Event Tracing for Windows checks timed out

Integrity Monitor could not determine if the recorder was correctly registered with ETW. The recorder might miss events in this state.

Make sure that the Tanium Client is running with appropriate credentials, and restart the recorder by deploying the Recorder - Disable Recorder Extension [OS] action, followed by the Recorder - Enable Recorder Extension [OS] action.

Recorder - Error: File permission auditing is disabled

The Audit File System permission is not set correctly on the endpoint.

For steps to configure the necessary permission, see Installing Integrity MonitorPrepare Endpoints.

Standard Linux-specific endpoint status error messages

Recorder - Error: im_recorder.json file not found / Install Needed: im_recorder.json file not found (Both messages appear together.)

A necessary configuration file for the recorder is missing.

Deploy the Integrity Monitor - Tools [Linux] action to restore the configuration file.

Recorder - Error: The "service" binary is not installed on this system. Please install it first.

The recorder cannot run because the system is missing the standard Linux service binary file.

Install the service binary.

Recorder - Error: auditd is not installed on this system. Please install first.

The recorder cannot run because the system is missing the auditd package.

Install the auditd package.

Recorder - Error: auditd raw logging is enabled

Raw logging is enabled in auditd.conf, which might reduce performance and prevent audit rules from loading.

Unless the system has excess resources and raw logging is necessary for other applications, consider disabling raw logging to improve performance. To disable raw logging, deploy the Recorder - Disable Raw Logging [Linux] action.

Recorder - Error: systemd raw logging is enabled

Raw logging is enabled for systemd, which might reduce performance and prevent audit rules from loading.

Unless the system has excess resources and raw logging is necessary for other applications, consider disabling raw logging to improve performance. To disable raw logging, deploy the Recorder - Disable Raw Logging [Linux] action.

Recorder - Error: Trouble loading recorder audit rules ("key=TaniumRecorder" missing from "auditctl -l" output)

Recorder auditd rules are not configured correctly. Audit rules might not be loaded if raw logging is enabled. No events will be recorded.

Deploy the Recorder - Disable Raw Logging [Linux] action to disable raw logging. If the problem persists, Contact Tanium Support.

Integrity Monitor - Error: Python Core Library for Tanium not installed / Tools Install Required: Python Core Library for Tanium not installed (Both messages appear together.)

The Python Core Library for Tanium is missing.

Deploy the Integrity Monitor - Tools [Linux] action to install the latest tools.

Tools Install Required: Updated status sensor not installed

The latest version of the status sensor is not installed.

Deploy the Integrity Monitor - Tools [Linux] action to install the latest tools with the updated status sensor.