Logs and troubleshooting

The logs for Tanium Core Platform servers do not apply in a Tanium Cloud deployment. If the Tanium Console displays error messages, you can review those errors in the Local Error Log. See Tanium Console User Guide: Work with the Console error log.

Tanium Cloud is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium Cloud Deployment Guide: Troubleshooting Tanium Cloud.

Tanium Core Platform servers generate several predefined logs that you can use to diagnose issues and unexpected behavior. You can also configure custom logs that copy specific content from the predefined logs based on filters.

For information about Tanium Client logs, see Tanium Client Management User Guide: Troubleshooting.

Contact Tanium Support if you need help to analyze logs.

Logging levels

The logging level determines how much detail Tanium Core Platform servers and Tanium Clients record in logs, from 0 (no logging) to 99 (the highest level of detail). Select a level that provides just enough detail for you to understand what happened during an event. If you set the level too high, logs might contain so much detail that finding a particular event becomes difficult, especially if the logs roll over quickly and you must search across multiple files. Furthermore, when the number of log files reaches the maximum, the oldest files are deleted and you lose their record of events. See Log rollover.

The following logging levels are best practices for specific use cases:

  • 0: Logging disabled.
  • 1: Normal (default) logging level. At this level, logs typically record error conditions (such as failed operations) but few informational messages (such as successful operations).
  • 11: Best practice value for long-term troubleshooting. At this level, logs generally record enough information to help you understand the history of issues that occur. You can leave the level at 11 indefinitely without the logs being cluttered with less useful information or rolling over too quickly.
  • 41: Best practice value for temporary troubleshooting. At this level, logs record details that are useful for diagnosing specific issues. When you finish troubleshooting the issue, the best practice is to revert to a lower logging level.
  • 91 or higher: Most detailed logging level for advanced debugging. Because this level causes logs to roll over quickly and include details that are excessive for most use cases, use it only for short periods and then revert to a lower logging level.

The logging level that you set on a platform server or Tanium Client applies to all the log types on that server or client. However, you can set the Tanium Downloader log to a different level than other logs on the same Tanium Server or Module Server. You have the following options for changing the logging level:

Troubleshooting workflow

Before you begin

As a best practice, configure the Tanium Platform Analyzer (TPAN) report with the following settings. The report can facilitate future troubleshooting regardless of whether your deployment currently has issues. For the specific steps, see Tanium Health Check User Guide: Configuring Health Check.

  • Number of reports to keep on disk: Enter 12.

  • Metrics collection schedule: Select Every 15 minutes.

    To see the current metrics, use your browser to navigate to https://<Tanium Server URL>/metrics and sign in as a user with the Administrator reserved role.

  • Enable Collection: Select Enabled.
  • Set Collection Schedule: Run the report at least once per week.

  • Log Level: Select Debug.

  • VDI in use: Select Yes if any Tanium Clients run on virtual desktop infrastructure (VDI) endpoints.
  • Active-Active 50/50?: Select Yes if the Tanium Servers have an active-active configuration.

You can use the default values for other settings.

Tanium Support might ask you to send TPAN reports if you request troubleshooting assistance. You can manually download the reports and manually or automatically share them with Tanium. See Tanium Health Check User Guide: Generating reports.

Figure  1:  TPAN report
TPAN report

Troubleshoot issues during server deployment or solution operations

The following steps represent an overview of the tasks to perform if issues occur during the installation or upgrade of Tanium Core Platform servers, or during the regular operation of Tanium solutions:

  1. Perform troubleshooting tasks that are specific to the activity during which the issue occurred, as described in the following guides. First perform the tasks that do not require reviewing logs. If those initial tasks do not resolve the issue, perform the remaining tasks in this workflow to review reports and logs.
    ActivityUser Guide
    Installing or upgrading the ApplianceTanium Appliance Deployment Guide: Troubleshooting
    Installing or upgrading Tanium Core Platform servers on Windows infrastructureTanium Core Platform Deployment Guide for Windows: Troubleshooting
    Deploying and managing Tanium ClientsTanium Client Management User Guide: Troubleshooting
    Performing regular operations in the Tanium Console or InteractTanium Console User Guide: Troubleshooting
    Performing regular operations in other Tanium modules or shared servicesTanium Console User Guide: Troubleshoot solution-specific issues
  2. Run and review the TPAN report for a comprehensive view of the issues, risks, and performance of your Tanium environment.

  3. If the Tanium Console displays error messages, review them in the Console local error log.
  4. Review the Tanium Core Platform Server logs. These are the most comprehensive logs in terms of recording the broadest range of events.
  5. Review any other log types based on the activity during which the issue occurred. For example, if users encounter role permission errors during Console operations, review the RBAC log. See Log and report types.
  6. (Optional) If the logs do not have enough detail for you to understand an issue, raise the logging level to 41 (see Logging levels) and repeat the operation that triggered the issue. For example, import a solution if the previous attempt to import it failed.

    After you finish troubleshooting, set the logging level to 11 or lower.

  7. If analyzing logs on your own is insufficient to diagnose the issue, create a support package to send to Tanium Support and then Contact Tanium Support for additional help. The issue that you are troubleshooting determines which support package to send:

Log and report types

You can view the Local Error Log through the Tanium Console. The requirements for viewing other log types vary by infrastructure:

The following platform server logs are available on both the Appliance and Windows.

For log types that are available on Tanium Clients, see Tanium Client Management User Guide: Troubleshooting.

For details about logs that are available on only one type of Tanium infrastructure, see:

Platform servers do not generate certain log types unless errors occur or you raise the logging level beyond a specific threshold.

In the following sections, variables such as <Tanium Server> represent server installation directories.

To find specific events in a log, you can open it in a text editor or use CLI commands to search for keywords. For examples of useful search strings, see Filter regex.

Action scheduler log

  • Access:
    • Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/action-scheduler<#>.txt.
    • Windows: View the log <Tanium Server>\Logs\action-scheduler<#>.txt.
  • Content: This log records events that relate to scheduled actions, such as why the Tanium Server did or did not deploy actions. For example, the log records Tanium Client connection failures. At logging levels between 1 (default) and 41, the server generates the log only if errors occurred, such as actions failing to deploy. To record additional details for normal (successful) operations of scheduled actions, set the logging level to 91.

Authentication log

  • Access:
    • Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 8 (Auth0 Log).
    • Windows: View the log <Tanium Server>\Logs\auth<#>.txt.
  • Content: This log records user and service account access to the Tanium Console or API through all authentication methods, including SAML SSO, Lightweight Directory Access Protocol (LDAP), Active Directory (AD), Windows authentication, TanOS local authentication service, and API tokens.

Console local error log

  • Access: Sign in to the Tanium Console, click Userexpand the <user name> drop-down menu in the Main menu (header), and select Local Error Log.
  • Content: The Tanium Console maintains an error log on the local host computer for your web browser. It includes details on the last 100 errors that were returned to the Console in response to actions that you performed through the browser. For example, the log records errors that are associated with attempting to save a configuration or import a content file. The Console maintains a separate log for each browser that you use. See Tanium Console User Guide: Work with the Console error log.

Database upgrade log

  • Access:
    • Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 7 (DB Upgrade Log).
    • Windows: View the log <Tanium Server>\Logs\database-upgrade<#>.txt.
  • Content: This log records actions that the Tanium Server installer performs on Tanium database schemas when you upgrade the Tanium Core Platform.

Download catalog cleaner log

  • Access:
    • Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/download-catalog-cleaner<#>.txt.
    • Windows: View the log <Tanium Server>\Logs\download-catalog-cleaner<#>.txt.
  • Content: This log records events that relate to the periodic removal of files from the Tanium Server downloads directory. These are files that Tanium Clients request from Internet URLs upon executing certain content, such as action packages or sensors that require the files. The downloads cleaning process removes files only if they are associated with an allowed URL that has an expiration configured (default is seven days) and the files have expired. For details about allowed URL settings, see Tanium Console User Guide: Managing allowed URLs.

    Review the following logs for similar issues:
    • Package download log: This log records events that relate to the downloads queue for package files.
    • Package cache cleaner log: This log records events that relate to the removal of package files from the Tanium Server chunk cache (a sub-directory of the downloads directory).
    • Tanium Downloader log: This log records download events on the Tanium Server.

HTTP connection log

  • Access:
    • Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/http-access<#>.txt.
    • Windows: View the log <Tanium Server>\Logs\http-access<#>.txt.
  • Content: This log records all HTTP requests that are sent to port 443 on the Tanium Server. For example, the log records registration attempts by Tanium Clients or the Zone Server and Tanium API access attempts. The log includes timing information for the requests, such as date-time and duration.

LDAP log

  • Access:
    • Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/ldap<#>.txt.
    • Windows: View the log <Tanium Server>\Logs\ldap<#>.txt.
  • Content: This log records LDAP synchronization and authentication events for interactions between the Tanium Server and LDAP servers.
At any given time in an active-active deployment, only one Tanium Server performs synchronization and records synchronization events in its LDAP log.

The Authentication log can also help you troubleshoot LDAP authentication issues.

Module plugin history log

  • Access:
    • Appliance: Open read-only restricted shell and view the log on each server:
      • Tanium Server: <Tanium Server>/Logs/module-history<#>.txt
      • Module Server: <Module Server>/Logs/module-history<#>.txt
    • Windows: View the log on each server:
      • Tanium Server: <Tanium Server>\Logs\module-history<#>.txt
      • Module Server: <Module Server>\Logs\module-history<#>.txt
  • Content: This log records all HTTP requests from the Tanium Server to any solution on the Module Server. For example, if a Tanium Console user tries to access the Endpoints by Compliance Rule Failures chart, the user browser sends the request to the Tanium Server, which forwards the request to the Module Server, which forwards the request to the Tanium™ Risk service. The log also records plugin executions. A plugin is an extension to a Tanium Core Platform component or solution. Plugin operations are usually transparent to users. However, Tanium Support might instruct you to review plugin details when troubleshooting unexpected behavior.

Module-provided privileges log

  • Access:
    • Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/module-provided-privileges<#>.txt.
    • Windows: View the log <Tanium Server>\Logs\module-provided-privileges<#>.txt.
  • Content: This log records events that relate to dependencies among Tanium solutions with respect to implicitly provided permissions. For example, if Tanium™ Deploy references a content set in Tanium™ Trends, an error occurs if you import Deploy but not Trends. As another example, the log records an error if you delete a content set that is associated with role permissions that are assigned to users. The Tanium Server generates this log only if the logging level is at least 40.

Package cache cleaner log

  • Access:
    • Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/package-cleaner<#>.txt.
    • Windows: View the log <Tanium Server>\Logs\package-cleaner<#>.txt.
  • Content: The Tanium Server uses cache storage for packages and associated files that actions reference. To conserve disk space, the server periodically removes packages and files that are no longer referenced by an action that has an issue date-time in the future. Before removing the package and files, the server waits until they have aged past the expiration interval (default 120 days) since the last issue date-time.
  • Review the following logs for similar issues:

Package download log

  • Access:
    • Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/package-download<#>.txt.
    • Windows: View the log <Tanium Server>\Logs\package-download<#>.txt.
  • Content: This log records events that relate to the download queue for package files that the Tanium Server downloads and deploys to Tanium Clients through actions. For example, the log might indicate why certain packages are not in the download queue. The server generates this log only if the logging level is at least 20.

    Review the following logs for similar issues:

PKI log

  • Access:
    • Appliance: Open read-only restricted shell and view the log on each server:
      • Tanium Server: <Tanium Server>/Logs/pki<#>.txt
      • Module Server: <Module Server>/Logs/pki<#>.txt
      • Zone Server: <Zone Server>/Logs/pki<#>.txt
    • Windows: View the log on each server:
      • Tanium Server: <Tanium Server>\Logs\pki<#>.txt
      • Module Server: <Module Server>\Logs\pki<#>.txt
      • Zone Server: <Zone Server>\Logs\pki<#>.txt
      • Zone Server Hub (if the hub is not on the Tanium Server): <Zone Server Hub>\Logs\pki<#>.txt
  • Content: This log records events that relate to changes in the set of digital keys that Tanium Core Platform components use to prove their identity to each other. For example, the log records key generation and revocation events. The log also records events that relate to trust approvals and denials among Tanium Servers, Zone Server Hubs, and Zone Servers.

PKI TLS log

  • Access:
    • Appliance: Open read-only restricted shell and view the log on each server:
      • Tanium Server: <Tanium Server>/Logs/pki-tls<#>.txt
      • Module Server: <Module Server>/Logs/pki-tls<#>.txt
      • Zone Server: <Zone Server>/Logs/pki-tls<#>.txt
    • Windows: View the log on each server:
      • Tanium Server: <Tanium Server>\Logs\pki-tls<#>.txt
      • Module Server: <Module Server>\Logs\pki-tls<#>.txt
      • Zone Server: <Zone Server>\Logs\pki-tls<#>.txt
      • Zone Server Hub (if the hub is not on the Tanium Server): <Zone Server Hub>\Logs\pki-tls<#>.txt
  • Content: This log records events that relate to Transport Layer Security (TLS) connections among Tanium Core Platform servers and Tanium Clients. For example, the log records TLS handshake failures that occur due to expired certificates.

PostgreSQL installation log

  • Access:
    • Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 3 (Database Operations menu), 1 (Display Postgre log file), and 2 (postgres.log).
    • Windows: View the log <Tanium installation directory>\Tanium Module Postgres\Install_postgres.log.
  • Content: This log records events that relate to the PostgreSQL database that the Module Server installer creates locally as the storage system for Tanium solutions.

RBAC log

  • Access:
    • Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 3 (Tanium Server RBAC Log).
    • Windows: View the log <Tanium Server>\Logs\rbac<#>.txt.
  • Content: This log records events that relate to Tanium role-based access control (RBAC). If users attempt operations that their assigned roles do not allow, the log indicates which permissions are missing. These operations include viewing, editing, reassigning, creating, or deleting configuration objects that are associated with permissions. Some examples are viewing persona configurations, editing sensors, reassigning computer groups for a user, moving filter groups to other content sets, or deleting platform settings.

    The Tanium Console displays an alert when you attempt an operation that fails due to missing permissions. You can then view the Console error log to find the reference number (Ref# <hash>) for that error. To see more details for the error, use the same reference number to find the corresponding entry in the RBAC log. The following entry is an example from the Console error log:

    ERROR: 400 Bad Request RBAC Exception (Ref# 1f14e8215610cf72): RBACInsufficientPrivilege

    The corresponding entry in the RBAC log might resemble the following record:

    2020-10-02T19:22:24.076Z[00:001652:] RBAC Exception (Ref# 1f14e8215610cf72) thrown during SOAP request processing: RBACInsufficientPrivilege - Operation: add question - Privileges: Any of these privileges ('administrator', 'write sensor', 'write action', 'write action for saved question', 'approve action', 'content administrator', 'write package', 'define question')

    See Tanium Console User Guide: Work with the Console error log.

Server logs

  • Access:
    • Appliance:
      • Tanium Server: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 1 (Tanium Server Log).
      • Module Server: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), and 3 (Tanium Module Server).
      • Zone Server: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), and 4 (Tanium Zone Server).
    • Windows: View the log on each server:
      • Tanium Server: <Tanium Server>\Logs\log<#>.txt
      • Module Server: <Module Server>\Logs\log<#>.txt
      • Zone Server: <Zone Server>\Logs\log<#>.txt
      • Zone Server Hub (if the hub is not on the Tanium Server): <Zone Server Hub>\Logs\log<#>.txt
  • Content: Each Tanium Core Platform server has a main log that is the most comprehensive in terms of which events it records. The server log includes all the events that other log types do not record. For example, the Tanium Server log records Tanium database access errors that result from incorrect credentials or permissions.

Solution logs and support packages

Tanium Downloader log

  • Access:
    • Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options for the corresponding server:
      • Tanium Server: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 2 (Tanium Server TDL Log)
      • Module Server: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 3 (Tanium Module Server menu), and 2 (Tanium Module Server TDL Log)
    • Windows: View the log on each server:
      • Tanium Server: <Tanium Server>\TDL_Logs\log<#>.txt
      • Module Server: <Module Server>\TDL_Logs\log<#>.txt
  • Content: This log records a history of the actions that the TDownloader service performs when it downloads files from Tanium and other Internet locations. If your deployment includes a proxy server, the log records connection status events on the proxy. The log might help you troubleshoot when importing or updating Tanium modules, shared services, content packs, and content configurations (such as package definitions).

  • The TDownloader log has its own logging level setting (default level is 1) that you can configure independently of other logs on the same server. For improved troubleshooting, you can set it to 41 indefinitely without the TDownloader log becoming cluttered with less useful information or rolling over too quickly. See Logging levels.

    If the TDownloader log indicates certificate errors, you might resolve the errors by updating the certificates that the service uses for downloads authentication. See Tanium Console User Guide: Managing downloads authentication.

    Review the following logs for similar issues:

    • Download catalog cleaner log: This log records events that relate to the removal of files that the Tanium Server downloads to serve Tanium Client requests.
    • Package cache cleaner log: This log records events that relate to the removal of package files from the Tanium Server chunk cache.
    • Package download log: This log records events that relate to the downloads queue for package files.

TPAN report

  • Access: Generate TPAN reports through Tanium Health Check. See Tanium Health Check User Guide: Generating reports.
  • Content: Provides a comprehensive view of the issues, risks, and performance of your Tanium environment. You can download reports locally to share with Tanium Support. Regularly collecting and sharing these reports can help Tanium provide you with the best support.TPAN report

Workbenches manager log

  • Access:
    • Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 5 (Tanium Server Workbenches).
    • Windows: <Tanium Server>\plugins\console\WorkbenchesManager\workbenches_manager.log
  • Content: This log records events that relate to the installation and uninstallation of workbenches for Tanium solutions (modules and shared services). A workbench is the user interface that you use to perform solution operations.

Tanium Appliance logs and reports

For logs and reports that are specific to the Tanium Appliance, see Tanium Appliance Deployment Guide: Overview of Appliance logs, reports, and troubleshooting features.

Windows logs

Only Tanium Core Platform servers in a Windows deployment generate the Install.log file. Each server generates its own log.

  • Access: View the log on each server:
    • Tanium Server: <Tanium Server>\Install.log
    • Module Server: <Module Server>\Install.log
    • Zone Server: <Zone Server>\Install.log
  • Content: This log records actions that the installer for a Tanium Core Platform server performs during installations and upgrades. If you encounter issues with your installation, examine the logs to see which actions completed successfully and which failed. Each time you run the installer, it appends the actions for that execution to the end of the file instead of rolling over the file.

Log rollover

To clear space for new logs, Tanium Core Platform servers roll over and compress existing logs when they exceed the maximum log size (10 MB) and maximum number of logs. The maximum number of log files varies by log type and format. By default, custom log types have a maximum of 10 plain text logs and 10 ZIP logs.

 Table 1: Number of log files
Log File Name Plain Text ZIP
action-scheduler<#>.txt 10 10
auth<#>.txt 10 10
database-upgrade<#>.txt 10 10
download-catalog-cleaner<#>.txt 10 10
http-access<#>.txt 2 3
Install_postgres.log 1 0
ldap<#>.txt 10 10
log<#>.txt (main server log for each Tanium Core Platform server) 10 10
log<#>.txt (TDownloader log) 10 0
module-history<#>.txt 2 3
module-provided-privileges<#>.txt 10 10
package-cleaner<#>.txt 10 10
package-download<#>.txt 10 10
pki<#>.txt 10 10
pki-tls<#>.txt 10 10
rbac<#>.txt 10 10
tanium-data.log<#>.txt 10 10
workbenches_manager.log 1 0

The following sections describe the rollover process. The variable <log_type#>.txt represents a log file name (such as log0.txt):

Rollover for plain text logs

When the first log file <log_type>0.txt reaches 10 MB in size, it is renamed <log_type>1.txt and a new <log_type>0.txt is created. When <log_type>0.txt again reaches 10 MB, <log_type>1.txt is renamed <log_type>2.txt, <log_type>0.txt is again renamed <log_type>1.txt, and <log_type>0.txt is again recreated. The process of rolling logs whenever <log_type>0.txt reaches 10 MB continues until the maximum number of plain-text logs exist. For example, each Tanium Core Platform server log has a maximum of 10 plain-text logs: log0.txt to log9.txt.

Rollover for ZIP logs

After recording the maximum number of plain-text logs, the oldest log is compressed. For example, log9.txt is saved as log10.zip. When <log_type>0.txt again reaches 10 MB, the file name of the first ZIP log is incremented (for example, log10.zip becomes log11.zip and the oldest plain-text log is again compressed and replaces the first ZIP log. The ZIP file rollover process continues until the maximum number of ZIP files exist. For example, each Tanium Core Platform server log has a maximum of 10 ZIP files: log10.zip to log19.zip. When <log_type>0.txt reaches 10 MB again after that, the first ZIP log is created again (such as log10.zip) but the oldest ZIP log (such as log19.zip) is not renamed and is effectively dropped because the second oldest ZIP file replaces it (for example, log18.zip becomes the new log19.zip).

Create a custom log

If you want to troubleshoot only specific information in predefined Tanium logs, you can configure a Tanium Core Platform server or Tanium Client to filter the logs based on a regular expression and to copy the matching content to a custom log. Custom logs are especially useful if you set a high logging level for the predefined logs such that they roll over too quickly and record too much information for you to easily find specific issues. You can create as many custom logs as necessary and base each one on a different filter. After you configure a new log type, the platform server or client creates a custom log file upon recording an event in a predefined log that matches the regular expression. Thereafter, whenever the predefined logs record additional events that match the filter, the server or client copies those records to the custom log.

Log filtering can consume significant resources on a server or client, especially if you set a high logging level. Therefore, the best practice is to remove custom logs after you finish a troubleshooting session. For more information, see the logging level setting in Table 2.

The following procedures describe how to configure custom logs using the TanOS console (Appliance) or using the CLI command executables and options listed in Table 2 (Tanium Clients or platform servers on Windows).

 Table 2: CLI command executables and options for custom logs
Executable/Option Description
Executable The Tanium Client and Tanium Core Platform servers use the following executables for running CLI commands. The executables reside in the server or client installation directory.
  • Tanium Server: TaniumReceiver
  • Module Server: TaniumModuleServer
  • Zone Server or Zone Serve Hub: TaniumZoneServer
  • Tanium Client: TaniumClient
Log prefix The log file prefix. The server or client automatically appends a number to the prefix and adds the suffix (.txt) upon generating the log. For example, if you enter CompletedRegistrations as the prefix for a custom client log, the first file that the client generates for that log type is CompletedRegistrations0.txt.
Filter regex The regular expression to use for filtering the predefined logs. The server or client copies log entries that match the filter to the custom log.

The filter applies only to log messages, not to thread names, thread IDs, or timestamps.

The following are examples of useful filter expressions for the Tanium Server Install.txt log:

  • .*Begin MiniDumper.* records messages about application crashes.

  • .*Failing to sync sensors.* identifies sensor synchronization failures.
  • .*msg=NoMaxAgeFound.* records instances where the Tanium Server issues a question that uses deleted sensors.
  • .*Client Certificate auth.* records authentication messages relating to Tanium Client certificates. This is useful for troubleshooting smart card (common access card) authentication issues. See Troubleshoot smart card authentication.

The following are examples of useful filter expressions for Tanium Server or Zone Server Install.txt logs:

  • .*Begin registration.* identifies Tanium Clients that are trying to register.
  • .*Registration complete.* identifies clients that successfully registered.
Logging level

The logging level of the custom log. For details, see Logging levels.

Higher logging levels consume more resources on the server or client. If different custom log types have different levels, the server or client generates all log types at the highest level that is set for any custom log type. This ensures that filter matching applies to all log messages at the highest configured level. However, in this case, each log file still contains only the level of detail that corresponds to the level you set for its log type. For example, you might set the logging level to 1 for predefined logs on the Tanium Server and set the level to 91 for a custom log. In this case, the server generates log messages at level 91 for all log types and the custom log contains messages at level 91, but the predefined logs contain messages only at level 1.

Appliance: Create a custom log

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 1 to go to the Tanium Server Config Settings menu. ClosedView screen
  5. For each log setting (LogVerbosityLevel, LogPrefix, and FilterRegex), enter A to add the setting and then enter its value. Table 2 describes the settings. For the <log subject>, specify any text string to identify the purpose of the log.
    • Logs.<log subject>.LogVerbosityLevel
    • Logs.<log subject>.LogPrefix

    • Logs.<log subject>.FilterRegex

    For example, if the log is for troubleshooting common access card (CAC) authentication, you might specify the following values:

    • Logs.CAC.LogVerbosityLevel = 41
    • Logs.CAC.LogPrefix = CACAuthLog

    • Logs.CAC.FilterRegex = .*Client Certificate auth.*

To review the log after the Appliance generates messages that match the filter:

  1. Open a read-only (RO) restricted shell. See Tanium Appliance Deployment Guide: Open read-only restricted shell.
  2. Go to the Logs directory:

    cd /opt/Tanium/TaniumServer/Logs

  3. List the directory contents:

    ls -la

    The following is an example of the output, including the custom log CACAuthLog:

    total 1264
    drwxr-x---. 2 tanium tanium 4096 Nov 16 21:24 .
    drwxr-x---. 20 tanium tanium 4096 Nov 16 22:15 ..
    -rw-r-----. 1 tanium tanium 685 Nov 16 21:28 CACAuthLog0.txt
    -rw-r-----. 1 tanium tanium 2805 Oct 26 19:39 auth0.txt
    -rw-r-----. 1 tanium tanium 322930 Oct 26 18:41 database-upgrade0.txt
    -rw-r-----. 1 tanium tanium 857760 Nov 16 19:36 http-access0.txt
    -rw-r-----. 1 tanium tanium 31873 Nov 16 20:01 log0.txt
    -rw-r-----. 1 tanium tanium 27082 Nov 16 19:36 module-history0.txt
    -rw-r-----. 1 tanium tanium 17223 Nov 16 19:33 package-cleaner0.txt
    -rw-r-----. 1 tanium tanium 3300 Oct 26 18:46 pki0.txt

  4. Display the custom log contents using standard UNIX commands such as more, cat, or tail:

    more CACAuthLog0.txt

  5. When you finish viewing the log contents, enter exit to close the shell.

Windows: Create a custom log for platform servers or clients

Perform the following steps using the command executables and options listed in Table 2 to create a custom log on a Tanium Core Platform server or Tanium Client that is installed on a Windows host.

  1. Sign in to the host system of the platform server or Tanium Client.

  2. Open the Command Prompt and navigate (cd) to the server or client installation directory.

  3. Configure a regular expression for the custom log.

    <executable> config set Logs.<log prefix>.FilterRegex "<filter regex>"

  4. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

    <executable> config set Logs.<log prefix>.LogVerbosityLevel <logging level>

macOS: Create a custom Tanium Client log

Perform the following steps using the command options listed in Table 2 to create a custom log on a managed macOS endpoint. The variable <Tanium Client> is the Tanium Client installation directory.

  1. Sign in to the endpoint that hosts the Tanium Client.

  2. Open the Terminal program.
  3. Configure a regular expression for the custom log.

    sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"

  4. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

    sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>

Linux, Solaris, AIX: Create a custom Tanium Client log

Perform the following steps using the command options listed in Table 2 to create a custom log on a managed Linux, Solaris, or AIX endpoint. The variable <Tanium Client> is the Tanium Client installation directory.

  1. Sign in to the endpoint that hosts the Tanium Client.

  2. Configure a regular expression for the custom log.

    sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"

  3. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

    sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>

Contact Tanium Support

Tanium Support is your first contact for assistance with preparing for and performing an installation or upgrade, as well as verifying and troubleshooting the initial deployment. If you require further assistance from Tanium Support, please be sure to include version information for Tanium Core Platform components and specific details on dependencies, such as the host system hardware and OS details and database server version.

To contact Tanium Support for help, sign in to https://support.tanium.com.