Troubleshooting Map

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.

Collect logs

You can save a Map troubleshooting package as a compressed ZIP file.

  1. From the Map Home page, click Help , then the Troubleshooting tab.
  2. Click Create Package.
  3. When the status shows as completed, click Download Package. A map-troubleshooting.zip file downloads to the local download directory.
  4. Attach the ZIP file to your Tanium Support case form or send it to your TAM.

Tanium Map maintains logging information in the Map.log file in the <Tanium Module Server>/services/Map directory.

Identify Linux endpoints that are missing auditd

If Linux endpoint events are not being recorded, they might be missing the audit daemon and audispd services. Ideally, the audit daemon is installed and configured before installing the Map module, but it is possible for endpoints to come online at a later time.

  1. (Optional) Create the auditd package.

    You can either create a general installation package and put the logic in the scripts or you can have a simple script and put the logic in the Tanium query. See Tanium Core Platform User Guide: Creating and managing packages.

  2. Ask the question: Get Installed Application Exists[audit] from all machines with Is Linux containing "true".
  3. Deploy the appropriate auditd package to the identified endpoints.

    If you need to distribute the package to a large number of endpoints, spread the changes out over time to avoid a negative impact on the network.

View health of Map components

On the Map Home page, go to the Initialization Summary section. Click the numbers to view detailed information.

Monitor and troubleshoot Map coverage

The following table lists contributing factors into why the Map coverage metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Tools not deployed
  • Verify Tanium Clients are current and supported. For a list of supported Tanium Client versions with Map, see Map requirements.
  • Verify that intended targets are in the appropriate Map action groups. See Configure Map action group.
Recorder health
  • Verify the Tanium Driver is in use for Windows systems. See Windows systems.
  • Make sure auditd is set to not log. See Linux systems.
  • Ensure sufficient drive space is available. Up to 1 GB of free disk space might be required for the Map database.
  • Verify that the profile.json file is present on the endpoints by reviewing the results of the CX - Status sensor. If the file is not found, a health_check result is returned.
CX health
  • Review the results of the CX - Status sensor to determine appropriate areas to focus remediation efforts.

Monitor and troubleshoot servers mapped to an application

The following table lists contributing factors into why the Servers Mapped to an Application metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
System serves as a standby

Increase the frequency of failover testing to ensure live traffic to all involved machines.

System was previously decommissioned but not retired

Use an endpoint map to determine if any legitimate traffic is taking place, then redirect the traffic accordingly. See Mapping endpoints.

 

System was brought online without appropriate authorization

Review system activity logs to determine current users and administrators.

System might be in a degraded state Use Tanium to triage and diagnose the system and determine best course of action.

Uninstall Map

  1. From the Main menu, click Tanium Solutions.
  2. Under Map, click Uninstall. Click Proceed with Uninstall to complete the process.
  3. Disable the Map scheduled actions by setting the action group to no computers.
    1. From the Main menu, click Actions > Scheduled Actions.
    2. Click the Tanium Map action group. Click Edit.
    3. In the Computer Groups section, clear the checkboxes for any selected computer groups and choose the No computers computer group.
    4. Click Save.
  4. Remove Map Tools from your endpoints. To see which endpoints have the map tools installed, ask the question: Get Computer Name and Map - Tools Version from all machines with Map - Tools Version contains Package Installed. If you want to clean the artifacts from your endpoints, contact your TAM.

  5. A backup map-files folder gets created on the Module Server as part of the uninstall process. You can keep or delete this folder. If any other Map artifacts remain on your Module Server, contact your TAM.

  6. Remove Map saved questions. You can remove saved questions that meet all the following conditions:

    • Owned by the service account you configured for Map

    • AND the name of the saved question starts with Map

    • AND is in the Map content set

  7. Remove the Map scheduled actions:

    • Map - Distribute Profile [Windows]
    • Map - Distribute Profile [Mac]
    • Map - Distribute Profile [Linux]
    • Map - Distribute Tools [Windows]
    • Map - Distribute Tools [Mac]
    • Map - Distribute Tools [Linux]
    • Map - Distribute Application Definition [Windows]
    • Map - Distribute Application Definition [Mac]
    • Map - Distribute Application Definition [Linux]
  8. Remove the Map action group. After the action group is empty, you can delete the Tanium Map action group.