Troubleshooting Map

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.

Collect logs

You can save a Map troubleshooting package as a compressed ZIP file.

  1. From the Map Overview page, click Help , then the Troubleshooting tab.
  2. Click Create Package.
  3. When the status shows as completed, click Download Package. A map-troubleshooting.zip file downloads to the local download directory.
  4. Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.

Tanium Map maintains logging information in the Map.log file in the <Module Server>/services/Map directory.

Identify Linux endpoints that are missing auditd

If Linux endpoint events are not being recorded, they might be missing the audit daemon and audispd services. Ideally, the audit daemon is installed and configured before installing the Map module, but it is possible for endpoints to come online at a later time.

  1. (Optional) Create the auditd package.

    You can either create a general installation package and put the logic in the scripts or you can have a simple script and put the logic in the Tanium query. See Tanium Core Platform User Guide: Creating and managing packages.

  2. Ask the question: Get Installed Application Exists[audit] from all machines with Is Linux containing "true".
  3. Deploy the appropriate auditd package to the identified endpoints.

    If you need to distribute the package to a large number of endpoints, spread the changes out over time to avoid a negative impact on the network.

View health of Map components

On the Map Overview page, go to the Health section. You can view any issues that exist on the endpoints, and the status of the Map tools.

Resolve issues with legacy Client Recorder Extension installations

If Tanium Endpoint Configuration detects endpoints that have legacy versions of the Client Recorder Extension installed, it reports the endpoint as Unsupported in the recorder column of the results grid when you ask the question: Get Endpoint Configuration - Tools Status. If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Legacy - Recorder Installed. If the Supported Endpoints column displays No, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.

File, network, or security events are not displayed on Oracle Linux server

If you are not seeing file, network, or security events in the recorder results, you can disable SELinux. When SELinux is enabled and the auditd fallback is disabled on Oracle Linux, only process information is returned. Alternatively, ensure that the Client Recorder Extension configuration parameters are set as follows:

  • CX.recorder.AuditdStopAuditdService is set to 0.
  • CX.recorder.AuditdEnableAudispdFallback is set to 1.

For more information, see Client Recorder Extension User Guide: Configuring recorded events .

Monitor and troubleshoot Map Coverage Status

The following table lists contributing factors into why the Map Coverage Status metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Tools not deployed
Recorder health
  • Verify the Tanium Driver is in use for Windows systems. See Installing Map Windows systems.
  • Make sure auditd is set to not log. See Installing Map Linux systems.
  • Ensure sufficient drive space is available. Up to 200 MB of free disk space might be required for the Map database.
  • Review the results of the Client Extensions - Status sensor for any health check findings that might need to be addressed.
CX health
  • Review the results of the Client Extensions - Status sensor to determine appropriate areas to focus remediation efforts.

  • Verify that endpoints meet the requirements for application discovery. See Step 2: Configure endpoints for discovery.

Monitor and troubleshoot Servers Mapped to an Application

The following table lists contributing factors into why the Servers Mapped to an Application metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
System serves as a standby

Increase the frequency of failover testing to ensure live traffic to all involved machines.

System was previously decommissioned but not retired

Use an endpoint map to determine if any legitimate traffic is taking place, then redirect the traffic accordingly. See Mapping endpoints.

 

System was brought online without appropriate authorization

Review system activity logs to determine current users and administrators.

System might be in a degraded state Use Tanium to triage and diagnose the system and determine best course of action.

Remove Map tools from endpoints

You can deploy an action to remove Map tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the computers from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is <OS> equals True , for example: 
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals True
  2. In the results, select the row for Map, drill down as necessary, and select the targets from which you want to remove Map tools. For more information, see Tanium Interact User Guide: Drill Down.
  3. Click Deploy Action.
  4. On the Deploy Action page, enter Endpoint Configuration - Uninstall in the Enter package name here box, and select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Map.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Map to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  7. (Optional) To remove all Map databases and logs from the endpoints, clear the selection for Soft uninstall.

  8. (Optional) To also remove any tools that were dependencies of the Map tools (such as Recorder and Index) that are not dependencies for tools from other modules, select Remove unreferenced dependencies.

  9. Click Show preview to continue.
  10. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Map

  1. From the Tanium Home page, go to Administration > Configuration > Solutions.
  2. Under Map, click Uninstall. Click Proceed with Uninstall to complete the process.
  3. Disable the Map scheduled actions by setting the action group to no computers.
    1. From the Main menu, click Administration > Actions > Action Groups.
    2. Click the Tanium Map action group.
    3. In the Computer Groups section, clear the checkboxes for any selected computer groups and choose the No computers computer group.
    4. Click Save.
  4. Remove Map Tools from your endpoints. See Remove Map tools from endpoints.

  5. A backup map-files/<unix_timestamp> folder gets created on the Module Server as part of the uninstall process. You can keep or delete this folder. If any other Map artifacts remain on your Module Server, contact Tanium Support.

  6. Remove Map saved questions. You can remove saved questions that meet all the following conditions:

    • Owned by the service account you configured for Map

    • AND the name of the saved question starts with Map

    • AND is in the Map content set

  7. Remove the Map action group, if it still exists. After the action group is empty, you can delete the Tanium Map action group.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.