Reference: Endpoint monitoring health check errors

Standard cross-platform endpoint health check error messages

Scan completion took longer than configured scan interval. Maybe under spec or subscription misconfigured? Scan:integrity_monitor.watched_paths:<path>

The indicated scan took longer than the Index Scan Frequency configured for the monitor that is deployed to the endpoint. This might be a temporary condition because of other processes running on the endpoint.

Make sure that the endpoint meets the minimum system requirements for Integrity Monitor, review other processes that run on the endpoint, and increase the interval that is specified for the Index Scan Frequency setting as necessary in the monitor that is deployed endpoint: see Create or edit a monitor.

subscription has dropped events: <Recorder/Index/Integrity-monitor.journal>

The endpoint did not have sufficient resources to capture all events. This might be a temporary condition because of other processes running on the endpoint, or watchlists that are deployed to the endpoint might result in an excessive number of recorded events.

Make sure that the endpoint meets the minimum system requirements for Integrity Monitor, review other processes that run on the endpoint, and tune watchlists to reduce events that you do not need to record: see Add and edit paths.

Dropped high priority path events from recorder

The endpoint did not have sufficient resources to capture all events. This might be a temporary condition because of other processes running on the endpoint, or watchlists that are deployed to the endpoint might result in an excessive number of recorded events.

Make sure that the endpoint meets the minimum system requirements for Integrity Monitor, review other processes that run on the endpoint, and tune watchlists to reduce events that you do not need to record: see Add and edit paths.

Recorder - Error: Tanium Driver requires system reboot

The Tanium Event Recorder Driver was installed, but the endpoint has not been rebooted. After the driver is first installed on a targeted endpoint, you must reboot that endpoint before Integrity Monitor can record process and user information associated with file and registry operations.

Reboot the endpoint to enable the Tanium Event Recorder Driver.

Recorder - Error: Recorder not installed / Install Needed: Recorder not installed (Both messages appear together.)

The Client Recorder Extension is not installed.

Redeploy monitors action to attempt reinstallation of Recorder: see Deploy monitors. For more information about working with the recorder, see Tanium Client Recorder Extension User Guide: Tanium Client Recorder Extension User Guide.

Recorder - Error: Client Recorder Extension 2.0 previously installed but is no longer installed

The Client Recorder Extension was installed but is not running or was uninstalled.

Redeploy monitors action to attempt reinstallation of Recorder: see Deploy monitors. If the error still occurs, Contact Tanium Support.

Recorder - Error: System minimum requirements not met to enable features: Single CPU detected. Not loading rules (This message is reported only if you are using Recorder 2.3 or later.)

The Client Recorder Extension 2.3 and later requires a minimum of two CPUs per endpoint.

The recorder cannot be used on single-core endpoints. Deploy a monitor that has the Collect process and user attribution information setting disabled to the endpoint: see Create or edit a monitor.

Standard Windows-specific endpoint health check error messages

Recorder - Error: Missing "TaniumSystemMonitor" from Event Tracing sessions / Install Needed: Missing "TaniumSystemMonitor" from Event Tracing sessions (Both messages appear together.)

The recorder is not registered with Event Tracing for Windows (ETW). No events will be recorded.

Make sure that the Tanium Client is running with appropriate credentials, and restart the recorder by deploying the Recorder - Disable Recorder Extension [OS] action, followed by the Recorder - Enable Recorder Extension [OS] action.

Recorder - Error: Event Tracing for Windows checks timed out

Integrity Monitor could not determine if the recorder was correctly registered with ETW. The recorder might miss events in this state.

Make sure that the Tanium Client is running with appropriate credentials, and restart the recorder by deploying the Recorder - Disable Recorder Extension [OS] action, followed by the Recorder - Enable Recorder Extension [OS] action.

Recorder - Error: File permission auditing is disabled

The Audit File System permission is not set correctly on the endpoint.

For steps to configure the necessary permission, see Prepare Endpoints.

Standard Linux-specific endpoint health check error messages

Recorder - Error: im_recorder.json file not found / Install Needed: im_recorder.json file not found (Both messages appear together.)

A necessary configuration file for the recorder is missing.

Redeploy monitors action to reinstall Recorder and restore the configuration file: see Deploy monitors.

Recorder - Error: The "service" binary is not installed on this system. Please install it first.

The recorder cannot run because the system is missing the standard Linux service binary file.

Install the service binary.

Recorder - Error: auditd is not installed on this system. Please install first.

The recorder cannot run because the system is missing the auditd package.

Install the auditd package.

Recorder - Error: auditd raw logging is enabled

Raw logging is enabled in auditd.conf, which might reduce performance and prevent audit rules from loading.

Unless the system has excess resources and raw logging is necessary for other applications, consider disabling raw logging to improve performance. To disable raw logging, deploy the Recorder - Disable Raw Logging [Linux] action.

Recorder - Error: systemd raw logging is enabled

Raw logging is enabled for systemd, which might reduce performance and prevent audit rules from loading.

Unless the system has excess resources and raw logging is necessary for other applications, consider disabling raw logging to improve performance. To disable raw logging, deploy the Recorder - Disable Raw Logging [Linux] action.

Recorder - Error: Trouble loading recorder audit rules ("key=TaniumRecorder" missing from "auditctl -l" output)

Recorder auditd rules are not configured correctly. Audit rules might not be loaded if raw logging is enabled. No events will be recorded.

Deploy the Recorder - Disable Raw Logging [Linux] action to disable raw logging. If the problem persists, Contact Tanium Support.