Connecting directly to endpoints

Use Direct Connect to connect directly to an endpoint to troubleshoot an issue with live and historical data. You can use this data to:

Understand performance events that occurred on that endpoint.
Visualize process-level resource consumption data from the time of an incident.
See what processes are currently running and the resources they are consuming. If needed, you can terminate one or more processes on the endpoint.
Access important attributes about the endpoint (such as model, CPU speed, memory capacity, and disk space).
Download files from the endpoint to use for troubleshooting, such as log files.

You can directly connect only to an endpoint that has an IPv4 address.
To You cannot connect to endpoints with action lock turned on.on, you must enable the Bypass Action Lock setting in Direct Connect. To access this setting, from the Direct Connect Overview page, click Settings and select Endpoint Connection. For more information, see Tanium Direct Connect User Guide: Configure Direct Connect and Tanium Console User Guide: Managing action locks.

For more information, see Tanium Direct Connect User Guide.

Create a direct connection

Connect directly to an endpoint from the Performance Overview page. The Direct Connect page provides detailed process and event information from the endpoint.

To use the simple search, enter the IP address or Computer Name (exactly as it appears in the Computer Name sensor) for the endpoint to which you want to test a connection. Select the endpoint from the results.
To use a filter, click Filter Builder. Build a query to search for the endpoint using advanced filters to filter question results based on match conditions.

Click + and use the controls to add filter conditions:
- Add Row: Add one or more conditions.
- Add Group: Select this option to nest a Boolean operator and then use Add Row to build the nested expression.

You can also connect to an endpoint from Performance by clicking Direct Connect to Endpoint in the Action column of a table. For more information, see Connect directly to an endpoint.

The status of the connection is shown at the top of the page. To end the current connection, click Disconnect. If the connection ended due to a time-out, click Reconnect if you want to connect to the endpoint again.

Click Time Zone to set the time zone for the data on the page: UTC or Browser local.

Browse and download files from the endpoint

Use the file browser to download files that might be helpful for troubleshooting, such as log files. You must be assigned the Performance Administrator role, the Performance Operator role, or the Performance File Download permission to use this feature.

File browsing and download requires Direct Connect 1.3.0 or later. To browse or download files on Linux endpoints with XFS partitions, you must use Direct Connect 1.5.0 or later.

Browse files

Click Browse File System to open the file browser.

From the File Browser page, you can manually enter the path to a directory and click Open or select the directory from the list.

Include the trailing slash when you manually enter a directory path.

Download files

Manually enter the full path to a file and click Open or select a file from the list to download it. The file is compressed and downloaded to your local browser download directory.

View the Live Process Monitor

The Live Process Monitor section displays details about the processes currently running on the endpoint. Columns with these details are shown by default: PID, Process, CPU, WSS (Windows endpoints), RSIZE (macOS and Linux endpoints), I/O Read Bytes (Windows and Linux endpoints), and I/O Write Bytes (Windows and Linux endpoints).

Click Customize Columns to add additional columns, such as CPU (not normalized), Commit (Windows endpoints), VSIZE (macOS and Linux endpoints), I/O Reads (Windows and Linux endpoints), I/O Writes (Windows and Linux endpoints), Handles (Windows and macOS endpoints), FDs (Linux endpoints), Threads (macOS and Linux endpoints), and Command Line (which shows the command line for the process).

The CPU column shows the average CPU utilization for the process across all cores on the endpoint. This value is normalized to show a percentage of 0-100. On Windows endpoints, this normalized value usually matches what Task Manager reports. Click Customize Columns and add the CPU (not normalized) column to see the CPU utilization calculated as the 0-100 value multiplied by the number of cores on the endpoint. This value provides insight into whether one core on the endpoint might be over utilized by a process.

Terminate a process on the endpoint

You can terminate one or more processes on the endpoint, which might resolve performance issues if a process hangs or uses too many resources. You must be assigned the Performance Administrator role, the Performance Operator role, or the Performance Kill Process permission to use this feature.

The terminate process action requires Direct Connect 1.3.0 or later.

Select one or more processes in the Live Process Monitor table and click Terminate Process (or Terminate Processes for multiple processes).

Click Terminate Process, Force Terminate Process, or Cancel (Terminate Processes, Force Terminate Processes, or Cancel for multiple processes). Enter your user name and password, and click Submit.

View endpoint information

Hover over the Info icon to view the details about the endpoint: Operating System, Model, Serial Number, IP Address, Logical Processors, and Logged In Users.

The Resource Summary section shows the CPU, Memory, Network, and Disk information.

Set the time frame for the data

Click to select a time frame for the data: Past hour, Past 4 hours, Past 8 hours, Past day, Past 2 days, Past week, Custom.

Select Custom or click Set Custom Scope to define a custom date and time (in UTC) frame. After you set the custom date and time frame, click Apply Scope.

View the charts

Charts show performance information for the endpoint for the selected time frame. You can expand and collapse the section for each chart.

Events

The Events section includes a grid with events that occurred on the endpoint during the selected time frame and the associated Rule Type, Start Time, Duration, and Details. Use the Filter items field to quickly filter the grid results.

In the Actions column, click Scope charts to time frame to scope the charts on the page to the time frame in which the event occurred. If the event was associated with specific processes, you can click Select top processes for this event in charts to select only those processes in the subsequent process-related charts.

CPU

The CPU section contains two charts:

Metrics: Shows several CPU-related metrics to show more detail about the CPU use: CPU (%), User (%), Kernel (%), and Interrupt (%). Windows endpoints also include DPC (%). For Linux and macOS endpoints, you can select Load [1m], Load [5m], and Load [15m] to add those metrics to the chart.
Processes: Shows the processes that were running on the endpoint during the selected time frame. Select the specific processes that you want to see in the chart.
If the selected time frame is one day or less, you can click Select top processes to select only the top processes for the selected time frame.
The top processes are the processes that consumed the highest amount of CPU for the duration of the selected time frame.

Memory

The Memory section contains two charts:

Metrics: Shows two memory-related metrics to show more detail about the memory use: Available and Used. For Windows endpoints, you can select Non-Paged Pool, Paged Pool, Pagefile Size, and Pagefile Used to add those metrics to the chart.
Processes: Shows the processes that were running on the endpoint during the selected time frame. Select the specific processes that you want to see in the chart.
If the selected time frame is one day or less, you can click Select top processes to select only the top processes for the selected time frame.
The top processes are the processes that consumed the highest amount of memory for the duration of the selected time frame.
This Direct Connect chart displays a maximum memory utilization up to only 4GB due to the limitations of a 32-bit process.

Network

Select an adapter from the drop-down menu. You can select the following metrics to show information about that adapter: Receive Throughput (bps), Send Throughput (bps), Receive Packets (pps), Send Packets (pps), Receive Discards (pps), Receive Errors (pps), Send Discards (pps), and Send Errors (pps).

Disk

The most active disk drive is selected by default. You can select a different disk drive from the drop-down menu. You can select the following metrics to show information about that disk: Active (%), Read (%), Write (%), Read (Bps), Write (Bps), Read Latency (ms), Write Latency (ms), Reads (ops), and Writes (ops).

The Active (%) metric indicates the disk time spent servicing read and write requests. On Windows endpoints, this value is determined by the Average Disk Queue Length measurement in percentage format (multiplied by 100) reported by Windows Performance Monitoring (perfmon). For example, if the Average Disk Queue Length for an endpoint is 1, the Active (%) metric reports as 100%. This value can be over 100% when the Average Disk Queue Length value is greater than 1. If the Average Disk Queue Length for an endpoint is 3, the Active (%) metric is 300%. A value over 100% does not mean that processes are using 3 times more disk than available, nor that there is a bottleneck.

The Read (%) and Write (%) metrics are similar to Active (%), but show only the operations read from or written to disk, respectively. These values are determined by the Average Disk Read Queue Length and Average Disk Write Queue Length values represented in percentages. As with Active (%), values over 100% do not necessarily indicate a problem on the endpoint.

If you are investigating a storage issue on an endpoint, the primary indicator is usually disk latency. If the Active (%), Read (%), and Write (%) metrics for an endpoint are high, check to see whether disk latency is also high. If it is not, the endpoint is likely not experiencing a disk storage issue.

For more information, see Microsoft: Windows Performance Monitor Disk Counters Explained.

Shows the IO usage by the processes that were running on the endpoint during the selected time frame. Select the specific processes that you want to see in the chart. If the selected time frame is one day or less, you can click Show Top Processes to select only the top processes for the selected time frame. The top processes are the processes that had the highest IO usage for the duration of the selected time frame.

The IO chart shows only for Windows and Linux endpoints.

Working with charts

Click to zoom in the charts. The charts and associated time frame adjust to a shorter range. For example, if the time range is set to Past Hour and the current charts show 15 minute increments from 3:00 PM - 4:00 PM, they shift to show 5 minute increments from 3:15 PM - 3:45 PM.

Click to zoom out the charts. The charts and associated time frame adjust to a longer range. For example, if the time range is set to Past Hour and the current charts show 15 minute increments from 3:00 PM - 4:00 PM, they shift to show 30 minute increments from 3:15 PM - 3:45 PM.

Click to pan left in the charts. The charts and associated time frame shift to earlier times in the predefined increments. For example, if the time range is set to Past Hour and the current charts show 15 minute increments from 3:00 PM - 4:00 PM, they shift to show 15 minute increments from 2:30 PM - 3:30 PM.

Click to pan right in the charts. The charts and associated time frame shift to later times in the predefined increments. For example, if the time range is set to Past Hour and the current charts show 15 minute increments from 3:00 PM - 4:00 PM, they shift to show 15 minute increments from 3:30 PM - 4:30 PM.

Events annotations

Events annotations highlight the time span when an event occurred in red. Click the annotation for more details about the event.

Event annotations for Application Crashes and System Crashes appear on all charts. Annotations for all other event types appear only on the specific charts for which they are applicable.

You can turn events annotations on or off in the scope section.