Troubleshooting Performance

Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.

To collect and send information to Tanium for troubleshooting, collect log and other relevant information.

Collect logs

The information is saved as a compressed ZIP file that you can download with your browser.

  1. From the Performance Overview page, click Help , then the Troubleshooting tab.
  2. Collect the troubleshooting package. Click Generate Support Package. When the ZIP file is ready, click Download Support Package.
  3. Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.

Collect troubleshooting information from endpoints

You can use Client Management to directly connect to an endpoint and collect a bundle of logs and other artifacts.

  1. From the Main menu, click Administration > Shared Services > Client Management.

  2. From the Client Management menu, click Client Health.

  3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

    Matching results are displayed after the search completes.

  4. From the search results, click the computer name to connect to the endpoint.
  5. Click the Gather tab. In the Domain section, select the category or Tanium Solution for which you want to gather troubleshooting information.

  6. Click Gather from Endpoint.

    The selected logs and artifacts are gathered from the endpoint. The package appears in the Must Gathers section, and the name of the package corresponds with its time stamp.

  7. When Finished appears in the Run State column, select the package and click Download to download a ZIP file that contains the troubleshooting information.

For more information about connecting directly to endpoints, see Tanium Direct Connect User Guide.

For more information about using client health features in Client Management, see Tanium Client Management User Guide: Monitoring client health.

Unable to configure Retention Settings

In Performance 1.3.0 and later, you can configure Retention Settings to specify the Database maximum size and Database maximum days. Profiles created in Performance 1.2.1 and earlier do not include this setting. After you upgrade to Performance 1.3.0 or later, you can add this setting to a profile that you created in an earlier version by editing the profile, specifying the Retention Settings, and saving the profile.

Issues with the Performance Trends board

If you do not see the Performance board when you attempt to import it from the Trends gallery, check the status of the Trends client in Performance. Click Info on the Performance Overview page, and check the Trends Client section to see whether the Trends client is started.

If you do not see the latest version of the Performance board in Trends, remove the Performance board and import the board again from the initial gallery. Existing boards do not update automatically during an upgrade. For more information, see Tanium Trends User Guide: Importing the initial gallery.

Error when connecting to endpoints

You must have the Performance Direct Connect Read permission, which is provided by the Performance Administrator, Performance Read Only User, and Performance User roles, and the the Data Collection Registration Read Interact permission to connect directly to endpoints. If you are using Direct Connect 1.9.30 or later, you must also have the Data Collection Registration Read Interact permission to connect directly to endpoints.

If you do not have sufficient privileges, the connection attempt fails with this error: Failed to connect to endpoint <endpoint computer name>. Failed to query for endpoints. Request failed with status code 500403.

Monitor and troubleshoot Performance Coverage

The following table lists contributing factors into why the Performance coverage metric might report endpoints as Needs Attention or Unsupported, and corrective actions you can make.

Contributing factor Corrective action
Endpoints do not have a Performance profile installed

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

If the status for the endpoint is Needs Profile, check that the computer groups in your profiles cover all of the endpoints that you want to monitor.

Endpoints do not have the Performance tools installed

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

If the status for the endpoint is Needs Tools, ensure that all operating systems supported by Performance are included in the Performance and Direct Connect action groups. Membership in these action groups determines which endpoints receive the Performance and Direct Connect tools, which are required for Performance operations.

Endpoints do not have a supported version of the Tanium Client installed

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

If the status for the endpoint is Not Configured with details that state Needs Tanium Client Upgraded, upgrade the Tanium Client on the endpoint to a version that is supported by Performance. For a list of supported versions, see Requirements.

Endpoints do not have enough free disk space

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

If the status for the endpoint is Not Configured with details that state Needs More Disk Space, free up disk space on the endpoint. For more information on disk space requirements, see Disk space requirements.

The Tanium TSDB is disabled on the endpoint

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

If the status for the endpoint is Not Configured with details that state that Tanium TSDB is disabled, check to confirm that the endpoint is currently targeted by a profile. If the endpoint is currently targeted by a profile, but the Performance - Configured sensor still reports that Tanium TSDB is disabled on the endpoint, contact Tanium Support for assistance. For more information, see Contact Tanium Support.

Endpoints are not running a supported operating system

In Interact, ask the Get Performance - Configured from all machines question. If the result of this question is Unsupported, the endpoint operating system is not supported by Performance.

For a list of supported operating system versions, see Supported Operating Systems.

Monitor and troubleshoot Endpoints with Critical Performance Events

The following table lists contributing factors into why the endpoints with critical performance events metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Resource intensive software
  • Consult the vendor.
  • Investigate other software interference (security software exclusions).
  • Investigate commonalities in software versions on affected machines.
Poorly performing hardware Consider replacing the models or upgrading their hardware.
Event thresholds poorly defined Consider raising thresholds and durations in one or more profiles.
System Crashes
  • Check for out-of-date driver versions.
  • Research causes of numerous bugcheck IDs.
  • Out of date BIOS or Firmware versions.
  • Out of date or known bad kernel-mode drivers.
  • Faulty hardware.
Low Disk Capacity
  • Investigate what is using disk space.
  • Free up disk space.
  • Increase disk space available to users.
    • Expand virtual volumes.
    • Upgrade disks in physical machines.
Application Crashes
  • Consult the software vendor
  • Use the file browser in Direct Connect sessions to retrieve log or dump files and investigate them.

Remove Performance tools from endpoints

You can deploy an action to remove Performance tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the computers from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is <OS> equals True , for example: 
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals True
  2. In the results, select the row for Performance, drill down as necessary, and select the targets from which you want to remove Performance tools. For more information, see Tanium Interact User Guide: Drill Down.
  3. Click Deploy Action.
  4. On the Deploy Action page, enter Endpoint Configuration - Uninstall in the Enter package name here box, and select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Performance.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Performance to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  7. (Optional) To remove all Performance databases and logs from the endpoints, clear the selection for Soft uninstall.

  8. (Optional) To also remove any tools that were dependencies of the Performance tools that are not dependencies for tools from other modules, select Remove unreferenced dependencies.

  9. Click Show preview to continue.
  10. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Performance

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. In the Performance section, click Uninstall.
  3. Review the content that will be removed and click Uninstall.
  4. Enter your credentials and click OK to start the uninstall process.
  5. Return to the Solutions page and verify that the Import button is available for Performance.

By design, the uninstall process does not remove Performance content (packages, saved questions, and sensors) so that other solutions are not impacted if they use this content. If you are sure that this content is not being used by any other solutions, you can manually remove it.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.