Troubleshooting Performance

To collect and send information to Tanium for troubleshooting, collect log and other relevant information.

Collect logs

The information is saved as a compressed ZIP file that you can download with your browser.

  1. From the Performance Home page, click Help , then the Troubleshooting tab.
  2. Collect the troubleshooting package. Click Generate Support Package. When the ZIP file is ready, click Download Support Package.
  3. Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.

Check the action group

Performance requires two actions to report metrics from an endpoint:

First, an action must run to install the performance tools on the endpoint. This action should run about an hour after an endpoint is added to a computer group that is included in the Performance action group. The scheduled action is named Performance - Distribute Tools [Operating System].

Second, when a profile is saved, an action must run to drop the profile (if it is new) or update the profile (if it is modified) on the targeted endpoints. This action should run about an hour after the profile is created or modified. The name of this scheduled action is Performance - Distribute profile Profile Number - [Operating System].

Complete these steps to verify the computer groups that are included in the Performance action group:

  1. From the Performance Home page, in the Configure Performance section, click the Add Computer Groups step and click Add Computer Groups.
  2. Review the computer groups that are listed in the Computer Group Targets field.
  3. If needed, click Edit to make changes.
  4. If you made changes, click Save.

To check the status of the Performance action group and saved actions, click Info on the Performance Home page and look at the values in the Performance Tools SA and Performance Tools SA sections.

Check the Trends client

If you do not see the Performance board when you attempt to import it from the Trends gallery, check the status of the Trends client in Performance. Click Info on the Performance Home page, and check the Trends Client section to see whether the Trends client is started.

Monitor and troubleshoot Performance Coverage

The following table lists contributing factors into why the Performance coverage metric might report endpoints as Needs Attention or Unsupported, and corrective actions you can make.

Contributing factor Corrective action
Endpoints do not have a Performance profile installed

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

 

If the status for the endpoint is Needs Profile, check that the computer groups in your profiles cover all of the endpoints that you want to monitor.

Endpoints do not have the Performance tools installed

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

 

If the status for the endpoint is Needs Tools, ensure that all operating systems supported by Performance are included in the Performance and Direct Connect action groups. Membership in these action groups determines which endpoints receive the Performance and Direct Connect tools, which are required for Performance operations.

Endpoints do not have a supported version of the Tanium Client installed

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

If the status for the endpoint is Not Configured with details that state Needs Tanium Client Upgraded, upgrade the Tanium Client on the endpoint to a version that is supported by Performance. For a list of supported versions, see Requirements.

Endpoints do not have enough free disk space

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

If the status for the endpoint is Not Configured with details that state Needs More Disk Space, free up disk space on the endpoint. A minimum of 500 MB of free disk space is required.

The Tanium TSDB is disabled on the endpoint

In Interact, ask the Get Performance - Configured from all machines question. The results from this question will tell you why an endpoint was classified as Needs Attention.

If the status for the endpoint is Not Configured with details that state that Tanium TSDB is disabled, check to confirm that the endpoint is currently targeted by a profile. If the endpoint is currently targeted by a profile, but the Performance - Configured sensor still reports that Tanium TSDB is disabled on the endpoint, contact your TAM for assistance.

Endpoints are not running a supported operating system

In Interact, ask the Get Performance - Configured from all machines question. If the result of this question is Unsupported, the endpoint operating system is not supported by Performance.

For a list of supported operating system versions, see Supported Operating Systems.

Monitor and troubleshoot Endpoints with Critical Performance Events

The following table lists contributing factors into why the endpoints with critical performance events metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Resource intensive software
  • Consult the vendor.
  • Investigate other software interference (security software exclusions).
  • Investigate commonalities in software versions on affected machines.
Poorly performing hardware Consider replacing the models or upgrading their hardware.
Event thresholds poorly defined Consider raising thresholds and durations in one or more profiles.
System Crashes
  • Check for out-of-date driver versions.
  • Research causes of numerous bugcheck IDs.
  • Out of date BIOS or Firmware versions.
  • Out of date or known bad kernel-mode drivers.
  • Faulty hardware.
Low Disk Capacity
  • Investigate what is using disk space.
  • Free up disk space.
  • Increase disk space available to users.
    • Expand virtual volumes.
    • Upgrade disks in physical machines.
Application Crashes
  • Consult the software vendor
  • Use the file browser in Direct Connect sessions to retrieve log or dump files and investigate them.

Uninstall Performance

If you need to uninstall Performance, first clean up the Performance artifacts on endpoints and then uninstall Performance from the server.

Remove Performance content and tools from endpoints

Each operating system has its own remove action. Therefore, you must select a group of endpoints for cleanup that has the same operating system.

  1. From the Main menu, click Interact.
  2. Ask a question to target the endpoints from which you want to remove Performance content and tools. For example, Get Performance - Tools Version from all machines.
  3. Select the row for the endpoints from which you want to remove the Performance profile (Windows Package Installed, Mac Package Installed, or Linux Package Installed).
  4. Click Deploy Action.
  5. On the Deploy Action page, enter Performance - Remove in the Enter package name here field.
  6. Select the Performance - Remove Profile operating system action, where operating system matches the operating system of the endpoints that you selected.
  7. Click Show preview to continue.
  8. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.
  9. Return to Interact. If your question results are still available, select the row for the endpoints from which you want to remove the Performance tools. If they are not, reissue the Get Performance - Tools Version from all machines question and then select the appropriate row.
  10. On the Deploy Action page, enter Performance - Remove in the Enter package name here field.
  11. Select the Performance - Remove Tools operating system action, where operating system matches the operating system of the endpoints that you selected.
  12. Click Show preview to continue.
  13. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

Remove the Performance solution from the Tanium Module Server

  1. From the Main menu, click Tanium Solutions.
  2. In the Performance section, click Uninstall.
  3. Review the content that will be removed and click Uninstall.
  4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
  5. Return to the Tanium Solutions page and verify that the Import button is available for Performance.

By design, the uninstall process does not remove Performance content (actions, packages, saved questions, and sensors) so that other solutions are not impacted if they use this content. If you are sure that this content is not being used by any other solutions, you can manually remove it.

Contact Tanium Support

To contact Tanium Support for help, send an email to [email protected].