Troubleshooting Integrity Monitor

Collect logs

Collect server logs within Integrity Monitor

Server logs might be required by Tanium to assist you with troubleshooting.

You must have either an Administrator or Content Administrator role in Integrity Monitor to collect server logs.

  1. From the Integrity Monitor Overview page, click Help .
  2. Click the Troubleshooting tab.
  3. Click Collect and then click Download to download a ZIP file containing the logs.

Change the logging level

  1. To specify minimum log level, from the Integrity Monitor Overview page, click Help .
  2. Click the Troubleshooting tab.
  3. Select a Log Level. The default setting is Info.

This update changes the log level for future logging. It does not affect the data that is available in the support package for previously logged events.

File permission monitoring is configured for a Windows path, but file permission events are not recorded on an endpoint

If you deployed a watchlist that includes a Windows-style path that is configured to record permission changes, but file permission events are not recorded on a Windows endpoint, make sure the Audit File System permission is configured properly on the endpoint: see Prepare Endpoints.

Endpoints that do not have this permission configured return Recorder - Error: File permission auditing is disabled when you ask a question using the Client Extensions - Status sensor, and they appear in the Endpoint Health panel on the Integrity Monitor Overview page.

Monitor and troubleshoot Integrity Monitor health

Endpoints with errors appear in the Endpoint Health panel on the Integrity Monitor Overview page. To see all endpoint health errors that are relevant to Integrity Monitor, click the title of the chart. To get detailed health information about endpoints that are included in an error category, click the bar for the category in the chart.

For issues with client extensions that appear in the chart, see Identify and resolve issues with client extensions.

For help resolving a specific error, see Reference: Endpoint monitoring health check errors, and Contact Tanium Support for further assistance.

Identify and resolve issues with client extensions

Use the following steps to troubleshoot issues with the client extensions that Integrity Monitor installs and uses. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.

To review the client extensions that Integrity Monitor installs and uses, see Client extensions.

  1. To review the health of client extensions or to start an investigation into an existing error, ask a question using the Client Extensions - Status or Integrity Monitor - Tools Version sensor.

    The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Filter the results and drill down as necessary to investigate results that indicate errors.

    Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.

  2. Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Remove Integrity Monitor tools from endpoints and Endpoint Configuration User Guide: Uninstall a tool installed by Endpoint Configuration.

    When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

    Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.

  3. Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:

    Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Integrity Monitor from all machines with Endpoint Configuration - Tools Status:Tool Name contains Integrity Monitor

    Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:

    Error ConditionPossible Resolution
    No error appears, but an available new version has not been installed

    Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the Endpoint Configuration manifest has not updated on the endpoint, usually for one of the following reasons:

    Installation Blocker:Unmet Dependencies: [Tool name]If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column.
    Failing Dependency:[Tool name]

    Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name]

    Investigate further errors with the tool.

    Manually Blocked:blockedThe tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint.
  4. Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.

For additional help, collect all logs for Tanium Integrity Monitor, and contact Tanium Support.

Review the Extensions log for an endpoint

Use Client Management to directly connect to an endpoint and view and download extension logs.

  1. From the Main menu, go to Administration > Shared Services > Client Management.

  2. From the Client Management menu, click Client Health.

  3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

    Matching results are displayed after the search completes.

  4. From the search results, click the computer name to connect to the endpoint.
  5. Click the Logs tab, and select an extensions[#].log file.

  6. (Optional) To download the log, click Download.

For additional help, collect all logs for Tanium Integrity Monitor, and contact Tanium Support.

Uninstall Integrity Monitor

Contact Tanium Support before you uninstall Integrity Monitor in a production environment so that you understand the potential repercussions.

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Select the check box for Integrity Monitor, and click Delete Selected . Click Uninstall to complete the process.
  3. Delete any remaining Integrity Monitor related scheduled actions and action groups.
  4. Remove Integrity Monitor tools from your endpoints. For more information, see Remove Integrity Monitor tools from endpoints.
  5. The uninstall process creates a folder with a backup of the Integrity Monitor files called integrity-monitor-service-files. If you have access to the file system on the machine hosting the Module Server, you can keep or delete this folder. If any other Integrity Monitor artifacts remain on your Module Server, Contact Tanium Support.

Remove Integrity Monitor tools from endpoints

You can deploy an action to remove Integrity Monitor tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
  2. In the results, select the row for Integrity Monitor, drill down as necessary, and select the targets from which you want to remove Integrity Monitor tools. For more information, see Tanium Interact User Guide: Drill Down.
  3. Click Deploy Action.
  4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Integrity Monitor.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Integrity Monitor to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  7. (Optional) To remove all Integrity Monitor databases and logs from the endpoints, clear the selection for Soft uninstall.

    When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

  8. (Optional) To also remove any tools that were dependencies of the Integrity Monitor tools (such as Recorder and Index) that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

  9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

    If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

  10. Click Show preview to continue.
  11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Resolve issues with legacy Client Recorder Extension installations

If Tanium Endpoint Configuration detects endpoints that have legacy versions of the Client Recorder Extension installed, it reports the endpoint as Unsupported in the recorder column of the results grid when you ask the question: Get Endpoint Configuration - Tools Status. If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Recorder - Legacy Installed. If the Supported Endpoints column displays Yes, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.