To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.
Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.
You can save a Map troubleshooting package as a compressed ZIP file.
- From the Map Overview page, click Help , then the Troubleshooting tab.
- Click Create Package.
- When the status shows as completed, click Download Package. A map-troubleshooting.zip file downloads to the local download directory.
- Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.
Tanium Map maintains logging information in the Map.log file in the <Module Server>/services/Map directory.
If Linux endpoint events are not being recorded, they might be missing the audit daemon and audispd services. Ideally, the audit daemon is installed and configured before installing the Map module, but it is possible for endpoints to come online at a later time.
- (Optional) Create the auditd package.
You can either create a general installation package and put the logic in the scripts or you can have a simple script and put the logic in the Tanium query. See Tanium Core Platform User Guide: Creating and managing packages.
- Ask the question: Get Installed Application Exists[audit] from all machines with Is Linux containing "true".
- Deploy the appropriate auditd package to the identified endpoints.
If you need to distribute the package to a large number of endpoints, spread the changes out over time to avoid a negative impact on the network.
Resolve issues with legacy Client Recorder Extension installations
If Tanium Endpoint Configuration detects endpoints that have legacy versions of the Client Recorder Extension installed, it reports the endpoint as Unsupported in the recorder column of the results grid when you ask the question: Get Endpoint Configuration - Tools Status. If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Legacy - Recorder Installed. If the Supported Endpoints column displays No, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.
File, network, or security events are not displayed on Oracle Linux server
If you are not seeing file, network, or security events in the recorder results, you can disable SELinux. When SELinux is enabled and the auditd fallback is disabled on Oracle Linux, only process information is returned. Alternatively, ensure that the Client Recorder Extension configuration parameters are set as follows:
- CX.recorder.AuditdStopAuditdService is set to 0.
- CX.recorder.AuditdEnableAudispdFallback is set to 1.
For more information, see Client Recorder Extension User Guide: Configuring recorded events .
The following table lists contributing factors into why the Map Coverage Status metric might be lower than expected, and corrective actions you can make.
|Contributing factor||Corrective action|
|Tools not deployed|
The following table lists contributing factors into why the Servers Mapped to an Application metric might be lower than expected, and corrective actions you can make.
|Contributing factor||Corrective action|
|System serves as a standby||
Increase the frequency of failover testing to ensure live traffic to all involved machines.
|System was previously decommissioned but not retired||
Use an endpoint map to determine if any legitimate traffic is taking place, then redirect the traffic accordingly. See Mapping endpoints.
|System was brought online without appropriate authorization||
Review system activity logs to determine current users and administrators.
|System might be in a degraded state||Use Tanium to triage and diagnose the system and determine best course of action.|
You can deploy an action to remove Map tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.
- In Interact, target the computers from which you want to remove the tools. For example, ask a question that targets a specific operating system:
Get Endpoint Configuration - Tools Status from all machines with Is <OS> equals True , for example:
Get Endpoint Configuration - Tools Status from all machines with Is Windows equals True
- In the results, select the row for Map, drill down as necessary, and select the targets from which you want to remove Map tools. For more information, see Tanium Interact User Guide: Managing question results.
- Click Deploy Action.
- On the Deploy Action page, enter Endpoint Configuration - Uninstall in the Enter package name here box, and select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
For Tool Name, select Map.
(Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.
If reinstallation is blocked on an endpoint, you must deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints) before the tools can be reinstalled.
(Optional) To remove all Map databases and logs from the endpoints, clear the selection for Soft uninstall.
(Optional) To also remove any tools that were dependencies of the Map tools
(such as Recorder and Index)that are not dependencies for tools from other modules, select Remove unreferenced dependencies.
- Click Show preview to continue.
A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.
If you have enabled Endpoint Configuration, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.
- From the Tanium Home page, go to Administration > Configuration > Solutions.
- Under Map, click Uninstall. Click Proceed with Uninstall to complete the process.
- Disable the Map scheduled actions by setting the action group to no computers.
- From the Main menu, click Actions > Scheduled Actions.
- Click the Tanium Map action group. Click Edit.
- In the Computer Groups section, clear the checkboxes for any selected computer groups and choose the No computers computer group.
- Click Save.
Remove Map Tools from your endpoints. See Remove Map tools from endpoints.
A backup map-files/<unix_timestamp> folder gets created on the Module Server as part of the uninstall process. You can keep or delete this folder. If any other Map artifacts remain on your Module Server, contact your TAM.
Remove Map saved questions. You can remove saved questions that meet all the following conditions:
Owned by the service account you configured for Map
AND the name of the saved question starts with Map
AND is in the Map content set
- Remove the Map action group, if it still exists. After the action group is empty, you can delete the Tanium Map action group.
To contact Tanium Support for help, send an email to [email protected].
Last updated: 1/12/2021 1:30 PM | Feedback