Logs

The logs for Tanium Core Platform servers do not apply in a Tanium as a Service deployment.

Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.

You can use Tanium Core Platform logs to diagnose issues and unexpected behavior. The logging level determines how much detail Tanium Core Platform servers record in the logs. The following logging levels are best practices for specific use cases:

  • 0: Logging disabled.
  • 1 (default): Normal log level.
  • 41: Best practice value during troubleshooting.
  • 91 or higher: Most detailed log level. Enable for short periods of time only.

To change the logging level through the Tanium Console for the Tanium Server and Tanium Module Server, see Tanium Console User Guide: Configure server logging levels. You can also change the logging level for platform servers by configuring the LogVerbosityLevel settings (see Tanium Core Platform settings) through the CLI on Windows or through the TanOS menus on the Tanium Appliance.

For information about Tanium Client logs, see Tanium Client Management User Guide: Troubleshooting.

Tanium Appliance

The Tanium Appliance supports the following log features:

Windows

To view Tanium Core Platform logs, you require access to the platform server hosts. In the following log file locations, variables such as <Tanium Server> represent the server installation directories.

Action scheduler logs

  • Content: Records events and issues that relate to scheduled actions. For example, the logs record information about why the Tanium Server did or did not deploy the actions. If you set the logging level to 1 (default) or 41, the server generates the logs only if errors occurred (such as actions failing to deploy). To record additional details for normal (successful) operations of scheduled actions, set the logging level to 91.
  • Location and file name: <Tanium Server>\Logs\action-scheduler<#>.txt

Authentication logs

  • Content: Records user access to the Tanium Console or API through all authentication methods.
  • Location and file name: <Tanium Server>\Logs\auth<#>.txt

Database upgrade logs

  • Content: Record actions that the Tanium Server installer performs on Tanium database schemas when you upgrade the Tanium Core Platform.
  • Location and file name: <Tanium Server>\Logs\database-upgrade<#>.txt

HTTP connection logs

HTTP connection logs are available in Tanium Core Platform 7.3 or later.

  • Content: Records attempts to connect to the Tanium Server. For example, the logs record registration attempts by Tanium Clients or the Zone Server.
  • Location and file name: <Tanium Server>\Logs\http-access<#>.txt

Installation logs

  • Content: Records actions that the installer for a Tanium Core Platform server performs during installations and upgrades. If you encounter issues with your installation, examine the logs to see which actions completed successfully and which failed. Each time you run the installer, it appends the actions for that execution to the end of the file instead of rolling over the file.
  • Location and file name:
    • Tanium Server: <Tanium Server>\Install.txt
    • Tanium Module Server: <Module Server>\Install.txt
    • Tanium Zone Server: <Zone Server>\Install.txt

LDAP logs

  • Content: Records LDAP synchronization and authentication events for interactions between the Tanium Server and LDAP servers.
  • Location and file name: <Tanium Server>\Logs/ldap<#>.txt

Module plugin history logs

Module plugin history logs are available in Tanium Core Platform 7.3 or later.

  • Content: Records plugin executions. A plugin is an extension to a Tanium Core Platform component or solution module. Plugin operations are usually transparent to users. However, Tanium Support might instruct you to review plugin details when troubleshooting unexpected behavior (contact [email protected]).
  • Location and file name:
    • Tanium Server: <Tanium Server>\Logs\module-history<#>.txt
    • Tanium Module Server: <Module Server>\Logs\module-history<#>.txt

Package cleaner logs

  • Content: Records which package files the Tanium Server removed from the shard cache because the packages no longer exist, the files expired, or the server replaced the files with updated versions.
  • Location and file name: <Tanium Server>\Logs\package-cleaner<#>.txt

PKI logs

PKI logs are available in Tanium Core Platform 7.4 or later.

  • Content: Records events related to the use of digital keys when Tanium Core Platform components prove their identity to each other. The logs also record events related to trust approvals and denials among Tanium Servers, Zone Servers, and Zone Server Hubs.
  • Location and file name:
    • Tanium Server: <Tanium Server>\Logs\pki<#>.txt
    • Tanium Module Server: <Module Server>\Logs\pki<#>.txt
    • Tanium Zone Server: <Zone Server>\Logs\pki<#>.txt
    • Tanium Zone Server Hub (if the hub is not on the Tanium Server): <Zone_Server_Hub_installation_folder>\Logs\pki<#>.txt

RBAC logs

  • Content: Records events related to Tanium role-based access control (RBAC). For example, when the Tanium Server denies users access to a resource, the logs indicate which required permissions are missing in the user roles.
  • Location and file name: <Tanium Server>\Logs\rbac<#>.txt

Server logs

  • Content: These are the main logs for each Tanium Core Platform server, and record all events that the other log types do not capture.
  • Location and file name:
    • Tanium Server: <Tanium Server>\Logs\log<#>.txt
    • Tanium Module Server: <Module Server>\Logs\log<#>.txt
    • Tanium Zone Server: <Zone Server>\Logs\log<#>.txt

Tanium Data Service logs

  • Content: Records operations related to collecting results for sensors that are registered for automatic collection. For each question that the Tanium Server issues to collect sensor results, the log has an entry that indicates the issue date-time, the question ID (Harvesting qid), and information about each sensor in the question.
  • Location and file name: <Module Server>\services\tanium-data-files\tanium-data.log<#>.txt

TDownloader logs

  • Content: History of the actions that the TDownloader service performs when it downloads files from Tanium and other Internet locations. The logs include proxy server connection status events when applicable. The TDownloader logs might help you troubleshoot when importing Tanium content packs and solution modules or downloading updates to package files.
  • Location and file name:
    • Tanium Server: <Tanium Server>\TDL_Logs\log<#>.txt
    • Tanium Module Server: <Module Server>\TDL_Logs\log<#>.txt

Rollover for Tanium Core Platform logs

To clear space for new logs, Tanium Core Platform servers roll over and compress existing logs when they exceed the maximum log size (1 MB) and maximum number of logs. The maximum number of log files varies by log type and format:

 Table 1: Number of log files
Log File Name Plain Text ZIP
action-scheduler<#>.txt 10 10
authlog<#>.txt 10 10
database-upgrade<#>.txt 10 10
download-catalog-cleaner<#>.txt 10 10
http-access<#>.txt 2 3
ldap<#>.txt 10 10
log<#>.txt (main server log for each Tanium Core Platform server) 10 10
log<#>.txt (TDownloader log) 10 0
module-history<#>.txt 2 3
package-cleaner<#>.txt 10 10
pki<#>.txt 10 10
rbac<#>.txt 10 10

The rollover process is as follows, where <log_type#>.txt is the log file name (such as log0.txt):

Plain text logs

When the first log file <log_type>0.txt reaches 1 MB in size, it is renamed <log_type>1.txt and a new <log_type>0.txt is created. When <log_type>0.txt again reaches 1 MB, <log_type>1.txt is renamed <log_type>2.txt, <log_type>0.txt is again renamed <log_type>1.txt, and <log_type>0.txt is again recreated. The process of rolling logs whenever <log_type>0.txt reaches 1 MB continues until the maximum number of plain-text logs exist. For example, each Tanium Core Platform server log has a maximum of 10 plain-text logs: log0.txt to log9.txt.

ZIP logs

After recording the maximum number of plain-text logs, the oldest log is compressed. For example, log9.txt is saved as log10.zip. When <log_type>0.txt again reaches 1 MB, the file name of the first ZIP log is incremented (for example, log10.zip becomes log11.zip and the oldest plain-text log is again compressed and replaces the first ZIP log. The ZIP file rollover process continues until the maximum number of ZIP files exist. For example, each Tanium Core Platform server log has a maximum of 10 ZIP files: log10.zip to log19.zip. When <log_type>0.txt reaches 1 MB again after that, the first ZIP log is created again (such as log10.zip) but the oldest ZIP log (such as log19.zip) is not renamed and is effectively dropped because the second oldest ZIP file replaces it (for example, log18.zip becomes the new log19.zip).