Troubleshooting Patch

If Patch is not performing as expected, you might need to do some troubleshooting or change settings. For information about specific error messages, see Reference: Common errors.

To prevent issues that might occur due to endpoint health issues, ensure that endpoints have:
  • At least 5 GB of free space
  • A healthy Windows Update Agent
  • An up-time of less than 90 days

Collect a troubleshooting package

For your own review or to assist support, you can compile Patch logs and files that are relevant for troubleshooting.

  1. On the PatchOverview page, click Help .

  2. Click the Support tab and click Collect.

  3. When the Status: is updated, click Download.

    The log zip file might take a few moments to download. The files have a timestamp with a Patch-YYYY-MM-DDTHH-MM-SS.mmmZ  format.

Upgrading to Patch 3.13

In Patch 3.13, the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. Additionally, the Patch database is migrated to RDB in this release. Consequently, after upgrading to Patch 3.13, it might take time for the database migration to complete and for RBAC privileges and other updates to sync properly. This could lead to issues and error messages when you first query the Tanium Console. These issues usually resolve on their own after a few minutes, but could take up to an hour or longer depending on system resources and the amount of data to migrate.

View job logs to troubleshoot job failed errors

You can download job logs to troubleshoot "job failed" errors.

  1. On the Patch Overview page, click Help .

  2. Click the Support tab and click View Job Status.
  3. In the Job Detail window, click Download Logs to download a job-logs.txt file with more details about recent jobs.

Collect Patch troubleshooting information from Windows and Linux endpoints

You can collect and review endpoint artifacts to troubleshoot Patch issues on Windows and Linux endpoints.

Collect information on Windows endpoints

You can use Client Management to directly connect to an endpoint and collect a bundle of logs and other artifacts, sometimes referred to as an Endpoint Must Gather (EMG).

  1. From the Main menu, click Shared Services > Client Management.

  2. From the Client Management menu, click Client Health.

  3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

    Matching results are displayed after the search completes.

  4. From the search results, click the computer name to connect to the endpoint.
  5. Click the Gather tab. In the Domain section, select the category or Tanium Solution for which you want to gather troubleshooting information.

    For Patch information, select the Software Manager domain and then select Patch Logs and Tanium Scan Logs.

  6. Click Gather from Endpoint.

    The selected logs and artifacts are gathered from the endpoint. The package appears in the Must Gathers section, and the name of the package corresponds with its time stamp.

  7. When Finished appears in the Run State column, select the package and click Download to download a ZIP file that contains the troubleshooting information.

For more information about connecting directly to endpoints, see Tanium Direct Connect User Guide.

For more information about using client health features in Client Management, see Tanium Client Management User Guide: Monitor the client health overview in Client Management and Tanium Client Management User Guide: Access detailed client health and troubleshooting information on an endpoint.

Collect information on Linux endpoints

Copy the Patch logs from Tanium Client/Tools/Patch/logs. The Tanium Client Patch logs contain information that is useful for troubleshooting issues, including scan and deployment issues.

Configure endpoint logging for Windows and Linux endpoints

Distribute the Patch - Set Patch Process Options package to your Windows and Linux endpoints to change the default logging type and log rotation settings.

  1. In Interact, target the endpoints on which you want to configure logging. For example,
    Get Operating System from all machines.
  2. Click Deploy Action. Choose the Patch - Set Patch Process Options package and specify the log level, log size, and number of logs to keep.
  3. Click Preview and then click Deploy Action.

Windows and Linux patches are not listed in the Patches view

If you are having difficulty getting Windows and Linux patches to appear:

  1. Verify that the Patch - Is Process Running sensor returns Yes for your endpoints.
  2. Ensure that the expected endpoints are in the action group.
  3. Verify that the expected endpoints are targeted by a scan configuration.
  4. Check for scan errors on the endpoints targeted by a scan configuration.

Troubleshoot scan errors on Windows and Linux endpoints

Investigate Windows and Linux endpoints with scan errors that have scan results older than two days and resolve the errors for each endpoint.

  1. From the Patch menu, go to Scan Management and then click Scan Errors.
  2. Review any scan errors.

For more information about how to find and resolve common scan errors, see How to Clear Those Pesky Patch Scan Errors: Troubleshooting Common Errors to Enable Successful Scans.

Offline CAB scans fail for Windows 7 and Windows Server 2008 R2

If offline CAB scans fail for Windows 7 and Windows Server 2008 R2 with the error:

Error creating Update Service Object - See C:\Windows\windowsupdate.log for more details

Check the Windows Update log for the following errors:

WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\ScanFile\f6f0081a-1e6e-4e64-a804-58cf334a1f48\Source.cab are not trusted: Error 0x800b0109

WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\ScanFile\f6f0081a-1e6e-4e64-a804-58cf334a1f48\Source.cab are not trusted: Error 0x800b0109

If you see these errors, then prerequisite patches might not be installed on the endpoints. To resolve this issue, use either Tanium Scan or a method outside of Patch to install updates for SHA2 signing and Extended Security Update on the endpoints. For more information, see Tanium Scan and Tanium Community: Enabling and Delivering Microsoft Extended Security Updates with Tanium.

Scans are not completed on Linux endpoints

Patch 2.3.5 supports Red Hat and CentOS Linux endpoints. Patch 2.4.3 also supports Oracle and Amazon Linux endpoints. Patch 3.2.160 also supports SUSE endpoints.If you are having difficulty getting scans to run on Linux endpoints:

  1. On the Patch Overview page, click Settings and then click Operating Systems to verify that the Enhanced Linux Support option is enabled.
  2. Verify that the Patch - Is Process Running sensor returns Yes for your Linux endpoints.
  3. Verify Contact Tanium Support to verify that the Tanium Server can reach the repomd.xml file by appending /repodata/repomd.xml to the configured baseurl value.
  4. Check the endpoint log at /opt/Tanium/TaniumClient/Tools/Patch/logs/patch-process.log for errors.

Red Hat Linux endpoints stuck in Waiting for Initial Scan status

If you configure a repository that includes both Red Hat Enterprise Linux 6 Server (RPMs) and Red Hat Enterprise Linux 7 Server (RPMs) endpoints, your targeted endpoints might appear to be stuck in the Waiting for Initial Scan status.

  1. Verify that each major operating system is targeted in repositories.
  2. Target Linux endpoints by major operating systems.

Linux repository snapshots issues

If you encounter issues creating or using snapshots, review the following solutions. For information about specific snapshot errors, see Reference: Common errors.

Warning about a failed snapshot

A warning message appears, to indicate that a snapshot failed. To modify the snapshot, click Manage Repository Snapshots. To remove the warning, click Dismiss warning.

Patch process is not running on Linux endpoints

Start the Patch process:

  1. In Interact, ask the Get Operating System from all machines question.
  2. From the grid, select the Linux operating systems.
  3. Click Deploy Action. Choose the Patch - Start Patch Process [Non-Windows] package.
  4. Click Preview and then click Deploy Action.

End user notifications are not displayed or endpoints have errors

End user notifications are supported for Windows endpoints only. If end user notifications are not being displayed on the endpoints or the endpoints have errors (for example, their statuses are Non-compliant):

  1. Verify that the Tanium End-User Notifications solution is installed. For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.
  2. Ask the question: Get End-User Notifications - Has Tools from all machines to check if your endpoints have the end user notification tools.
  3. Verify Contact Tanium Support to verify that any security software exclusions include the \Tanium\Tanium End User Notification Tools directory. For more information, see Security exclusions.
  4. Uninstall the End-User Notifications tools on the endpoints. For more information, see Tanium End-User Notifications User Guide: Remove End-User Notifications tools from endpoints. Then wait up to 10 minutes for the tools to automatically reinstall.

    You can also reinstall the End-User Notifications tools with the Endpoint Configuration - Reinstall Tool package.

Remove Patch tools from Windows and Linux endpoints

You can deploy an action to remove Patch tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. Prevent Patch tools from installing on endpoints and scheduled actions from running.
    1. From the Main menu, go to Administration > Actions > Action Groups.
    2. Click the Patch action group, change the Computer Groups, and click Save
      • To prevent Patch actions on select endpoints, change the computer groups to no longer target the endpoint or computer group.
      • To prevent Patch actions on all endpoints, change the computer groups to No Computers.
  2. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
  3. In the results, select the row for Patch, drill down as necessary, and select the targets from which you want to remove Patch tools. For more information, see Tanium Interact User Guide: Drill Down.
  4. Click Deploy Action.
  5. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  6. For Tool Name, select Patch.

  7. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Patch to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  8. (Optional) To remove all Patch databases and logs from the endpoints, clear the selection for Soft uninstall.

    When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

  9. (Optional) To also remove any tools that were dependencies of the Patch tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

  10. (Optional) In the Deployment Schedule section, configure a schedule for the action.

    If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

  11. Click Show preview to continue.
  12. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Patch

If you need to uninstall Patch, first clean up the Patch artifacts on the endpoint and then uninstall Patch from the server.

  1. Remove the Patch solution from the Tanium Module Server. From the Main menu, go to Administration > Configuration > Solutions.
    1. In the Patch section, select Patch, click Uninstall, and follow the process.
    2. Click Proceed with Uninstall.
      The uninstaller disables any actions.
    3. Return to the Solutions page and verify that the Import button is available for Patch.
      If the Patch module has not updated in the console, refresh your browser.
  2. Delete any remaining files in the <Module Server>\services\patch-service and Tanium Module Server\services\patch-files directories.
  3. Unregister all Patch-related sensors.
    1. Go to the Interact Overview page and click Settings Settings.

    2. Filter the Registration & Collection tab to find the Patch-related sensors.

    3. For each sensor, select Actions > Release to unregister.
  4. Delete all Patch-related Endpoint Configuration items.
    1. From the Main menu, go to Shared Services > Endpoint Configuration > Configurations.
    2. Select Patch Toolset and all items in the Patch domain, and click Delete.
  5. Delete all scheduled actions under the Patch action group.
    1. From the Main menu, go to Administration > Actions > Scheduled Actions.
    2. Select the Patch action group.
    3. Select the scheduled actions and click More > Delete.
  6. Delete the Patch action group.
    1. From the Main menu, go to Administration > Actions > Action Groups

      .
    2. Select the Patch action group, click Migrate and Delete, and complete the process.

  7. Delete all Patch-related saved questions.
    1. From the Main menu, go to Administration > Content > Saved Questions

      .
    2. Select all Patch-related questions and click Delete .
  8. Delete all sensors prefixed with Patch - .
    1. From the Main menu, go to Administration > Content > Sensors

      .
    2. Select all sensors prefixed with Patch - and click Delete .
  9. Delete all packages prefixed with Patch - .
    1. From the Main menu, go to Administration > Content > Packages

      .
    2. Select all packages prefixed with Patch - and click Delete .

Restore the state of the Patch database

You can import the patch.db file to restore the Patch configuration.

  1. Stop the Patch service on the Tanium Module Server.
  2. Copy your patch.db file into the <Module Server>\services\patch-service\ directory, replacing the existing file.
  3. Restart the Patch service.
  4. In the Tanium Console, refresh the Patch workbench.
  5. Configuring Patch.
    Any existing data, including patch lists, deployments, and associated patches and actions appear in the Patch workbench.

    If a deployment scheduled action is missing, you might need to wait up to 5 minutes for it to show up.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.