To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.
Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.
You can save a Map troubleshooting package as a compressed ZIP file.
- From the Map Home page, click Help , then the Troubleshooting tab.
- Click Create Package.
- When the status shows as completed, click Download Package. A map-troubleshooting.zip file downloads to the local download directory.
- Attach the ZIP file to your Tanium Support case form or send it to your TAM.
Tanium Map maintains logging information in the Map.log file in the <Tanium Module Server>/services/Map directory.
If Linux endpoint events are not being recorded, they might be missing the audit daemon and audispd services. Ideally, the audit daemon is installed and configured before installing the Map module, but it is possible for endpoints to come online at a later time.
- (Optional) Create the auditd package.
You can either create a general installation package and put the logic in the scripts or you can have a simple script and put the logic in the Tanium query. See Tanium Core Platform User Guide: Creating and managing packages.
- Ask the question: Get Installed Application Exists[audit] from all machines with Is Linux containing "true".
- Deploy the appropriate auditd package to the identified endpoints.
If you need to distribute the package to a large number of endpoints, spread the changes out over time to avoid a negative impact on the network.
On the Map Home page, go to the Initialization Summary section. Click the numbers to view detailed information.
The following table lists contributing factors into why the Map coverage metric might be lower than expected, and corrective actions you can make.
|Contributing factor||Corrective action|
|Tools not deployed|
The following table lists contributing factors into why the Servers Mapped to an Application metric might be lower than expected, and corrective actions you can make.
|Contributing factor||Corrective action|
|System serves as a standby||
Increase the frequency of failover testing to ensure live traffic to all involved machines.
|System was previously decommissioned but not retired||
Use an endpoint map to determine if any legitimate traffic is taking place, then redirect the traffic accordingly. See Mapping endpoints.
|System was brought online without appropriate authorization||
Review system activity logs to determine current users and administrators.
|System might be in a degraded state||Use Tanium to triage and diagnose the system and determine best course of action.|
- From the Main menu, click Tanium Solutions.
- Under Map, click Uninstall. Click Proceed with Uninstall to complete the process.
- Disable the Map scheduled actions by setting the action group to no computers.
- From the Main menu, click Actions > Scheduled Actions.
- Click the Tanium Map action group. Click Edit.
- In the Computer Groups section, clear the checkboxes for any selected computer groups and choose the No computers computer group.
- Click Save.
Remove Map Tools from your endpoints. To see which endpoints have the map tools installed, ask the question: Get Computer Name and Map - Tools Version from all machines with Map - Tools Version contains Package Installed. If you want to clean the artifacts from your endpoints, contact your TAM.
A backup map-files folder gets created on the Module Server as part of the uninstall process. You can keep or delete this folder. If any other Map artifacts remain on your Module Server, contact your TAM.
Remove Map saved questions. You can remove saved questions that meet all the following conditions:
Owned by the service account you configured for Map
AND the name of the saved question starts with Map
AND is in the Map content set
Remove the Map scheduled actions:
- Map - Distribute Profile [Windows]
- Map - Distribute Profile [Mac]
- Map - Distribute Profile [Linux]
- Map - Distribute Tools [Windows]
- Map - Distribute Tools [Mac]
- Map - Distribute Tools [Linux]
- Map - Distribute Application Definition [Windows]
- Map - Distribute Application Definition [Mac]
- Map - Distribute Application Definition [Linux]
- Remove the Map action group. After the action group is empty, you can delete the Tanium Map action group.
Last updated: 7/6/2020 5:02 PM | Feedback