Logs and troubleshooting

The logs for Tanium Core Platform servers do not apply in a Tanium Cloud deployment. If the Tanium Console displays error messages, you can review those errors in the Local Error Log. See Tanium Console User Guide: Work with the Console error log.

Tanium Cloud is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium Cloud Deployment Guide: Troubleshooting Tanium Cloud.

Tanium Core Platform servers generate several predefined logs that you can use to diagnose issues and unexpected behavior. You can also configure custom logs that copy specific content from the predefined logs based on filters.

For information about Tanium Client logs, see Tanium Client Management User Guide: Troubleshooting.

Contact Tanium Support if you need help to analyze logs.

Logging levels

The logging level determines how much detail Tanium Core Platform servers and Tanium Clients record in logs, from 0 (no logging) to 99 (the highest level of detail). Select a level that provides just enough detail for you to understand what happened during an event. If you set the level too high, logs might contain so much detail that finding a particular event becomes difficult, especially if the logs roll over quickly and you must search across multiple files. Furthermore, when the number of log files reaches the maximum, the oldest files are deleted and you lose their record of events. See Log rollover.

The following logging levels are best practices for specific use cases:

0: Logging disabled.
1: Normal (default) logging level. At this level, logs typically record error conditions (such as failed operations) but few informational messages (such as successful operations).
11: Best practice value for long-term troubleshooting. At this level, logs generally record enough information to help you understand the history of issues that occur. You can leave the level at 11 indefinitely without the logs being cluttered with less useful information or rolling over too quickly.
41: Best practice value for temporary troubleshooting. At this level, logs record details that are useful for diagnosing specific issues. When you finish troubleshooting the issue, the best practice is to revert to a lower logging level.
91 or higher: Most detailed logging level for advanced debugging. Because this level causes logs to roll over quickly and include details that are excessive for most use cases, use it only for short periods and then revert to a lower logging level.

The logging level that you set on a platform server or Tanium Client applies to all the log types on that server or client. However, you can set the Tanium Downloader log to a different level than other logs on the same Tanium Server or Module Server. You have the following options for changing the logging level:

Tanium Server and Tanium Module Server: Change the logging level through the Tanium Console. See Tanium Console User Guide: Configure server logging levels.
All Tanium Core Platform servers: Configure the LogVerbosityLevel settings through the Console (see Tanium Core Platform settings), the CLI on Windows (see Windows: CLI), or the TanOS menus on the Appliance (see Tanium Appliance).
Tanium Downloader: Configure the LogVerbosityLevel setting through the CLI on Windows (see Windows: CLI) or the TanOS menus on the Appliance (see Tanium Appliance Deployment Guide: Edit TDownloader settings).
Custom logs: For details about the logging level impact on custom logs, or to change the level, see CLI command executables and options for custom logs.

Troubleshooting workflow

Before you begin

As a best practice, configure the Tanium Platform Analyzer (TPAN) report with the following settings. The report can facilitate future troubleshooting regardless of whether your deployment currently has issues. For the specific steps, see Tanium Health Check User Guide: Configuring Health Check.

Number of reports to keep on disk: Enter 12.
Metrics collection schedule: Select Every 15 minutes.

To see the current metrics, use your browser to navigate to https://<Tanium Server URL>/metrics and sign in as a user with the Administrator reserved role.
Enable Collection: Select Enabled.
Set Collection Schedule: Run the report at least once per week.
Log Level: Select Debug.
VDI in use: Select Yes if any Tanium Clients run on virtual desktop infrastructure (VDI) endpoints.
Active-Active 50/50?: Select Yes if the Tanium Servers have an active-active configuration.

You can use the default values for other settings.

Tanium Support might ask you to send TPAN reports if you request troubleshooting assistance. You can manually download the reports and manually or automatically share them with Tanium. See Tanium Health Check User Guide: Generating reports.

Troubleshoot issues during server deployment or solution operations

The following steps represent an overview of the tasks to perform if issues occur during the installation or upgrade of Tanium Core Platform servers, or during the regular operation of Tanium solutions:

Perform troubleshooting tasks that are specific to the activity during which the issue occurred, as described in the following guides. First perform the tasks that do not require reviewing logs. If those initial tasks do not resolve the issue, perform the remaining tasks in this workflow to review reports and logs.

Activity	User Guide
Installing or upgrading the Appliance	Tanium Appliance Deployment Guide: Troubleshooting
Installing or upgrading Tanium Core Platform servers on Windows infrastructure	Tanium Core Platform Deployment Guide for Windows: Troubleshooting
Deploying and managing Tanium Clients	Tanium Client Management User Guide: Troubleshooting
Performing regular operations in the Tanium Console or Interact	Tanium Console User Guide: Troubleshooting
Performing regular operations in other Tanium modules or shared services	Tanium Console User Guide: Troubleshoot solution-specific issues

Run and review the TPAN report for a comprehensive view of the issues, risks, and performance of your Tanium environment.
If the Tanium Console displays error messages, review them in the Console local error log.
Review the Tanium Core Platform Server logs. These are the most comprehensive logs in terms of recording the broadest range of events.
Review any other log types based on the activity during which the issue occurred. For example, if users encounter role permission errors during Console operations, review the RBAC log. See Log and report types.
(Optional) If the logs do not have enough detail for you to understand an issue, raise the logging level to 41 (see Logging levels) and repeat the operation that triggered the issue. For example, import a solution if the previous attempt to import it failed.

After you finish troubleshooting, set the logging level to 11 or lower.
If analyzing logs on your own is insufficient to diagnose the issue, create a support package to send to Tanium Support and then Contact Tanium Support for additional help. The issue that you are troubleshooting determines which support package to send:
- Issues with specific Tanium solutions: See Solution logs and support packages.
- Issues with the Appliance: To run and export a report on the status of the Appliance system, processes, and network interfaces, see Tanium Appliance Deployment Guide: Run Tanium Support Gatherer.
- Issues with Tanium Core Platform servers in a Windows deployment: Send the latest TPAN report.

Log and report types

You can view the Local Error Log through the Tanium Console. The requirements for viewing other log types vary by infrastructure:

Platform server logs:
- Tanium Appliance: You must sign in to the TanOS console as a user with the tanadmin role to access most logs. However, some logs require you to open a read-only (RO) restricted shell. See Tanium Appliance Deployment Guide: Open read-only restricted shell.
- Windows: You require access to the platform server hosts.
Tanium Client logs: You require access to the endpoint hosts.
In addition to viewing action logs directly on individual endpoints, you can use the Console to view the action logs of up to 50 endpoints. See Tanium Console User Guide: Investigate action-related issues .

The following platform server logs are available on both the Appliance and Windows.

For log types that are available on Tanium Clients, see Tanium Client Management User Guide: Troubleshooting.

Action scheduler log
Authentication log
Console local error log
Database upgrade log
Download catalog cleaner log
HTTP connection log
LDAP log
Module plugin history log
Module-provided privileges log
Package cache cleaner log
Package download log
PKI log
PKI TLS log
PostgreSQL installation log
RBAC log
Server logs
Solution logs and support packages
Tanium Downloader log
TPAN report
Workbenches manager log

For details about logs that are available on only one type of Tanium infrastructure, see:

Tanium Appliance logs and reports
Windows logs

Platform servers do not generate certain log types unless errors occur or you raise the logging level beyond a specific threshold.

In the following sections, variables such as <Tanium Server> represent server installation directories.

To find specific events in a log, you can open it in a text editor or use CLI commands to search for keywords. For examples of useful search strings, see Filter regex.

Action scheduler log

Access:
- Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/action-scheduler<#>.txt.
- Windows: View the log <Tanium Server>\Logs\action-scheduler<#>.txt.
Content: This log records events that relate to scheduled actions, such as why the Tanium Server did or did not deploy actions. For example, the log records Tanium Client connection failures. At logging levels between 1 (default) and 41, the server generates the log only if errors occurred, such as actions failing to deploy. To record additional details for normal (successful) operations of scheduled actions, set the logging level to 91.

Authentication log

Access:
- Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 8 (Auth0 Log).
- Windows: View the log <Tanium Server>\Logs\auth<#>.txt.
Content: This log records user and service account access to the Tanium Console or API through all authentication methods, including SAML SSO, Lightweight Directory Access Protocol (LDAP), Active Directory (AD), Windows authentication, TanOS local authentication service, and API tokens.

Console local error log

Access: Sign in to the Tanium Console, click expand the <user name> drop-down menu in the Main menu (header), and select Local Error Log.
Content: The Tanium Console maintains an error log on the local host computer for your web browser. It includes details on the last 100 errors that were returned to the Console in response to actions that you performed through the browser. For example, the log records errors that are associated with attempting to save a configuration or import a content file. The Console maintains a separate log for each browser that you use. See Tanium Console User Guide: Work with the Console error log.

Database upgrade log

Access:
- Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 7 (DB Upgrade Log).
- Windows: View the log <Tanium Server>\Logs\database-upgrade<#>.txt.
Content: This log records actions that the Tanium Server installer performs on Tanium database schemas when you upgrade the Tanium Core Platform.

Download catalog cleaner log

Access:
- Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/download-catalog-cleaner<#>.txt.
- Windows: View the log <Tanium Server>\Logs\download-catalog-cleaner<#>.txt.
Content: This log records events that relate to the periodic removal of files from the Tanium Server downloads directory. These are files that Tanium Clients request from Internet URLs upon executing certain content, such as action packages or sensors that require the files. The downloads cleaning process removes files only if they are associated with an allowed URL that has an expiration configured (default is seven days) and the files have expired. For details about allowed URL settings, see Tanium Console User Guide: Managing allowed URLs.
Review the following logs for similar issues:
- Package download log: This log records events that relate to the downloads queue for package files.
- Package cache cleaner log: This log records events that relate to the removal of package files from the Tanium Server chunk cache (a sub-directory of the downloads directory).
- Tanium Downloader log: This log records download events on the Tanium Server.

HTTP connection log

Access:
- Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/http-access<#>.txt.
- Windows: View the log <Tanium Server>\Logs\http-access<#>.txt.
Content: This log records all HTTP requests that are sent to port 443 on the Tanium Server. For example, the log records registration attempts by Tanium Clients or the Zone Server and Tanium API access attempts. The log includes timing information for the requests, such as date-time and duration.

LDAP log

Access:
- Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/ldap<#>.txt.
- Windows: View the log <Tanium Server>\Logs\ldap<#>.txt.
Content: This log records LDAP synchronization and authentication events for interactions between the Tanium Server and LDAP servers.

At any given time in an active-active deployment, only one Tanium Server performs synchronization and records synchronization events in its LDAP log.

The Authentication log can also help you troubleshoot LDAP authentication issues.

Module plugin history log

Access:
- Appliance: Open read-only restricted shell and view the log on each server:
  - Tanium Server: <Tanium Server>/Logs/module-history<#>.txt
  - Module Server: <Module Server>/Logs/module-history<#>.txt
- Windows: View the log on each server:
  - Tanium Server: <Tanium Server>\Logs\module-history<#>.txt
  - Module Server: <Module Server>\Logs\module-history<#>.txt
Content: This log records all HTTP requests from the Tanium Server to any solution on the Module Server. For example, if a Tanium Console user tries to access the Endpoints by Compliance Rule Failures chart, the user browser sends the request to the Tanium Server, which forwards the request to the Module Server, which forwards the request to the Tanium™ Risk service. The log also records plugin executions. A plugin is an extension to a Tanium Core Platform component or solution. Plugin operations are usually transparent to users. However, Tanium Support might instruct you to review plugin details when troubleshooting unexpected behavior.

Module-provided privileges log

Access:
- Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/module-provided-privileges<#>.txt.
- Windows: View the log <Tanium Server>\Logs\module-provided-privileges<#>.txt.
Content: This log records events that relate to dependencies among Tanium solutions with respect to implicitly provided permissions. For example, if Tanium™ Deploy references a content set in Tanium™ Trends, an error occurs if you import Deploy but not Trends. As another example, the log records an error if you delete a content set that is associated with role permissions that are assigned to users. The Tanium Server generates this log only if the logging level is at least 40.

Package cache cleaner log

Access:
- Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/package-cleaner<#>.txt.
- Windows: View the log <Tanium Server>\Logs\package-cleaner<#>.txt.
Content: The Tanium Server uses cache storage for packages and associated files that actions reference. To conserve disk space, the server periodically removes packages and files that are no longer referenced by an action that has an issue date-time in the future. Before removing the package and files, the server waits until they have aged past the expiration interval (default 120 days) since the last issue date-time.

Review the following logs for similar issues:

Download catalog cleaner log: This log records events that relate to the removal of files that the Tanium Server downloads to serve Tanium Client requests.
Package download log: This log records events that relate to the downloads queue for package files.
Tanium Downloader log: This log records all download events on the Tanium Server.

Package download log

Access:
- Appliance: Open read-only restricted shell and view the log /opt/Tanium/TaniumServer/Logs/package-download<#>.txt.
- Windows: View the log <Tanium Server>\Logs\package-download<#>.txt.
Content: This log records events that relate to the download queue for package files that the Tanium Server downloads and deploys to Tanium Clients through actions. For example, the log might indicate why certain packages are not in the download queue. The server generates this log only if the logging level is at least 20.
Review the following logs for similar issues:
- Download catalog cleaner log: This log records events that relate to the removal of files that the Tanium Server downloads to serve Tanium Client requests.
- Package cache cleaner log: This log records events that relate to the removal of package files from the Tanium Server chunk cache.
- Tanium Downloader log: This log records all download events on the Tanium Server.

PKI log

Access:
- Appliance: Open read-only restricted shell and view the log on each server:
  - Tanium Server: <Tanium Server>/Logs/pki<#>.txt
  - Module Server: <Module Server>/Logs/pki<#>.txt
  - Zone Server: <Zone Server>/Logs/pki<#>.txt
- Windows: View the log on each server:
  - Tanium Server: <Tanium Server>\Logs\pki<#>.txt
  - Module Server: <Module Server>\Logs\pki<#>.txt
  - Zone Server: <Zone Server>\Logs\pki<#>.txt
  - Zone Server Hub (if the hub is not on the Tanium Server): <Zone Server Hub>\Logs\pki<#>.txt
Content: This log records events that relate to changes in the set of digital keys that Tanium Core Platform components use to prove their identity to each other. For example, the log records key generation and revocation events. The log also records events that relate to trust approvals and denials among Tanium Servers, Zone Server Hubs, and Zone Servers.

PKI TLS log

Access:
- Appliance: Open read-only restricted shell and view the log on each server:
  - Tanium Server: <Tanium Server>/Logs/pki-tls<#>.txt
  - Module Server: <Module Server>/Logs/pki-tls<#>.txt
  - Zone Server: <Zone Server>/Logs/pki-tls<#>.txt
- Windows: View the log on each server:
  - Tanium Server: <Tanium Server>\Logs\pki-tls<#>.txt
  - Module Server: <Module Server>\Logs\pki-tls<#>.txt
  - Zone Server: <Zone Server>\Logs\pki-tls<#>.txt
  - Zone Server Hub (if the hub is not on the Tanium Server): <Zone Server Hub>\Logs\pki-tls<#>.txt
Content: This log records events that relate to Transport Layer Security (TLS) connections among Tanium Core Platform servers and Tanium Clients. For example, the log records TLS handshake failures that occur due to expired certificates.

PostgreSQL installation log

Access:
- Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 3 (Database Operations menu), 1 (Display Postgre log file), and 2 (postgres.log).
- Windows: View the log <Tanium installation directory>\Tanium Module Postgres\Install_postgres.log.
Content: This log records events that relate to the PostgreSQL database that the Module Server installer creates locally as the storage system for Tanium solutions.

RBAC log

Access:
- Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 3 (Tanium Server RBAC Log).
- Windows: View the log <Tanium Server>\Logs\rbac<#>.txt.
Content: This log records events that relate to Tanium role-based access control (RBAC). If users attempt operations that their assigned roles do not allow, the log indicates which permissions are missing. These operations include viewing, editing, reassigning, creating, or deleting configuration objects that are associated with permissions. Some examples are viewing persona configurations, editing sensors, reassigning computer groups for a user, moving filter groups to other content sets, or deleting platform settings.

The Tanium Console displays an alert when you attempt an operation that fails due to missing permissions. You can then view the Console error log to find the reference number (Ref# <hash>) for that error. To see more details for the error, use the same reference number to find the corresponding entry in the RBAC log. The following entry is an example from the Console error log:

ERROR: 400 Bad Request RBAC Exception (Ref# 1f14e8215610cf72): RBACInsufficientPrivilege

The corresponding entry in the RBAC log might resemble the following record:

2020-10-02T19:22:24.076Z[00:001652:] RBAC Exception (Ref# 1f14e8215610cf72) thrown during SOAP request processing: RBACInsufficientPrivilege - Operation: add question - Privileges: Any of these privileges ('administrator', 'write sensor', 'write action', 'write action for saved question', 'approve action', 'content administrator', 'write package', 'define question')

See Tanium Console User Guide: Work with the Console error log.

Server logs

Access:
- Appliance:
  - Tanium Server: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 1 (Tanium Server Log).
  - Module Server: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), and 3 (Tanium Module Server).
  - Zone Server: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), and 4 (Tanium Zone Server).
- Windows: View the log on each server:
  - Tanium Server: <Tanium Server>\Logs\log<#>.txt
  - Module Server: <Module Server>\Logs\log<#>.txt
  - Zone Server: <Zone Server>\Logs\log<#>.txt
  - Zone Server Hub (if the hub is not on the Tanium Server): <Zone Server Hub>\Logs\log<#>.txt
Content: Each Tanium Core Platform server has a main log that is the most comprehensive in terms of which events it records. The server log includes all the events that other log types do not record. For example, the Tanium Server log records Tanium database access errors that result from incorrect credentials or permissions.

Solution logs and support packages

Log access:
- Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 2 (Module Log files Access menu), and <solution>.
- Windows: View the log <Module Server>\services\<solution>-files\logs\<solution>.log.
Log content: Each Tanium solution generates a log that records events that relate to the activities of that solution. Solutions include modules (such as Comply), shared services (such as Client Management), and platform services (such as Tanium Data Service).
Support packages: Tanium solutions enable you to create packages that collect all the logs and files that are relevant for troubleshooting. Tanium Support might request that you provide these packages to help you troubleshoot. See:

Tanium Downloader log

Access:
- Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options for the corresponding server:
  - Tanium Server: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 2 (Tanium Server TDL Log)
  - Module Server: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 3 (Tanium Module Server menu), and 2 (Tanium Module Server TDL Log)
- Windows: View the log on each server:
  - Tanium Server: <Tanium Server>\TDL_Logs\log<#>.txt
  - Module Server: <Module Server>\TDL_Logs\log<#>.txt
Content: This log records a history of the actions that the TDownloader service performs when it downloads files from Tanium and other Internet locations. If your deployment includes a proxy server, the log records connection status events on the proxy. The log might help you troubleshoot when importing or updating Tanium modules, shared services, content packs, and content configurations (such as package definitions).

The TDownloader log has its own logging level setting (default level is 1) that you can configure independently of other logs on the same server. For improved troubleshooting, you can set it to 41 indefinitely without the TDownloader log becoming cluttered with less useful information or rolling over too quickly. See Logging levels.

If the TDownloader log indicates certificate errors, you might resolve the errors by updating the certificates that the service uses for downloads authentication. See Tanium Console User Guide: Managing downloads authentication.

Review the following logs for similar issues:

Download catalog cleaner log: This log records events that relate to the removal of files that the Tanium Server downloads to serve Tanium Client requests.
Package cache cleaner log: This log records events that relate to the removal of package files from the Tanium Server chunk cache.
Package download log: This log records events that relate to the downloads queue for package files.

TPAN report

Access: Generate TPAN reports through Tanium Health Check. See Tanium Health Check User Guide: Generating reports.
Content: Provides a comprehensive view of the issues, risks, and performance of your Tanium environment. You can download reports locally to share with Tanium Support. Regularly collecting and sharing these reports can help Tanium provide you with the best support.

Workbenches manager log

Access:
- Appliance: Sign in to the TanOS console as a user with the tanadmin role and enter the following sequence of menu options: 3 (Tanium Support menu), 1 (Tanium Log Files menu), 2 (Tanium Server menu), and 5 (Tanium Server Workbenches).
- Windows: <Tanium Server>\plugins\console\WorkbenchesManager\workbenches_manager.log
Content: This log records events that relate to the installation and uninstallation of workbenches for Tanium solutions (modules and shared services). A workbench is the user interface that you use to perform solution operations.

Tanium Appliance logs and reports

For logs and reports that are specific to the Tanium Appliance, see Tanium Appliance Deployment Guide: Overview of Appliance logs, reports, and troubleshooting features.

Windows logs

Only Tanium Core Platform servers in a Windows deployment generate the Install.log file. Each server generates its own log.

Access: View the log on each server:
- Tanium Server: <Tanium Server>\Install.log
- Module Server: <Module Server>\Install.log
- Zone Server: <Zone Server>\Install.log
Content: This log records actions that the installer for a Tanium Core Platform server performs during installations and upgrades. If you encounter issues with your installation, examine the logs to see which actions completed successfully and which failed. Each time you run the installer, it appends the actions for that execution to the end of the file instead of rolling over the file.

Log rollover

To clear space for new logs, Tanium Core Platform servers roll over and compress existing logs when they exceed the maximum log size (10 MB) and maximum number of logs. The maximum number of log files varies by log type and format. By default, custom log types have a maximum of 10 plain text logs and 10 ZIP logs.

Table 1: Number of log files
Log File Name	Plain Text	ZIP
action-scheduler<#>.txt	10	10
auth<#>.txt	10	10
database-upgrade<#>.txt	10	10
download-catalog-cleaner<#>.txt	10	10
http-access<#>.txt	2	3
Install_postgres.log	1	0
ldap<#>.txt	10	10
log<#>.txt (main server log for each Tanium Core Platform server)	10	10
log<#>.txt (TDownloader log)	10	0
module-history<#>.txt	2	3
module-provided-privileges<#>.txt	10	10
package-cleaner<#>.txt	10	10
package-download<#>.txt	10	10
pki<#>.txt	10	10
pki-tls<#>.txt	10	10
rbac<#>.txt	10	10
tanium-data.log<#>.txt	10	10
workbenches_manager.log	1	0

The following sections describe the rollover process. The variable <log_type#>.txt represents a log file name (such as log0.txt):

Rollover for plain text logs

When the first log file <log_type>0.txt reaches 10 MB in size, it is renamed <log_type>1.txt and a new <log_type>0.txt is created. When <log_type>0.txt again reaches 10 MB, <log_type>1.txt is renamed <log_type>2.txt, <log_type>0.txt is again renamed <log_type>1.txt, and <log_type>0.txt is again recreated. The process of rolling logs whenever <log_type>0.txt reaches 10 MB continues until the maximum number of plain-text logs exist. For example, each Tanium Core Platform server log has a maximum of 10 plain-text logs: log0.txt to log9.txt.

Rollover for ZIP logs

After recording the maximum number of plain-text logs, the oldest log is compressed. For example, log9.txt is saved as log10.zip. When <log_type>0.txt again reaches 10 MB, the file name of the first ZIP log is incremented (for example, log10.zip becomes log11.zip and the oldest plain-text log is again compressed and replaces the first ZIP log. The ZIP file rollover process continues until the maximum number of ZIP files exist. For example, each Tanium Core Platform server log has a maximum of 10 ZIP files: log10.zip to log19.zip. When <log_type>0.txt reaches 10 MB again after that, the first ZIP log is created again (such as log10.zip) but the oldest ZIP log (such as log19.zip) is not renamed and is effectively dropped because the second oldest ZIP file replaces it (for example, log18.zip becomes the new log19.zip).

Create a custom log

If you want to troubleshoot only specific information in predefined Tanium logs, you can configure a Tanium Core Platform server or Tanium Client to filter the logs based on a regular expression and to copy the matching content to a custom log. Custom logs are especially useful if you set a high logging level for the predefined logs such that they roll over too quickly and record too much information for you to easily find specific issues. You can create as many custom logs as necessary and base each one on a different filter. After you configure a new log type, the platform server or client creates a custom log file upon recording an event in a predefined log that matches the regular expression. Thereafter, whenever the predefined logs record additional events that match the filter, the server or client copies those records to the custom log.

Log filtering can consume significant resources on a server or client, especially if you set a high logging level. Therefore, the best practice is to remove custom logs after you finish a troubleshooting session. For more information, see the logging level setting in the CLI command executables and options for custom logs table.

The following procedures describe how to configure custom logs using the TanOS console (Appliance) or using the CLI command executables and options listed in the CLI command executables and options for custom logs table (Tanium Clients or platform servers on Windows).

Table 2: CLI command executables and options for custom logs
Executable/Option	Description
Executable	The Tanium Client and Tanium Core Platform servers use the following executables for running CLI commands. The executables reside in the server or client installation directory. Tanium Server: TaniumReceiver Module Server: TaniumModuleServer Zone Server or Zone Serve Hub: TaniumZoneServer Tanium Client: TaniumClient
Log prefix	The log file prefix. The server or client automatically appends a number to the prefix and adds the suffix (.txt) upon generating the log. For example, if you enter CompletedRegistrations as the prefix for a custom client log, the first file that the client generates for that log type is CompletedRegistrations0.txt.
Filter regex	The regular expression to use for filtering the predefined logs. The server or client copies log entries that match the filter to the custom log. The filter applies only to log messages, not to thread names, thread IDs, or timestamps. The following are examples of useful filter expressions for the Tanium Server Install.txt log: .Begin MiniDumper. records messages about application crashes. .Failing to sync sensors. identifies sensor synchronization failures. .msg=NoMaxAgeFound. records instances where the Tanium Server issues a question that uses deleted sensors. .Client Certificate auth. records authentication messages relating to Tanium Client certificates. This is useful for troubleshooting smart card (common access card) authentication issues. See Troubleshoot smart card authentication. The following are examples of useful filter expressions for Tanium Server or Zone Server Install.txt logs: .Begin registration. identifies Tanium Clients that are trying to register. .Registration complete. identifies clients that successfully registered.
Logging level	The logging level of the custom log. For details, see Logging levels. Higher logging levels consume more resources on the server or client. If different custom log types have different levels, the server or client generates all log types at the highest level that is set for any custom log type. This ensures that filter matching applies to all log messages at the highest configured level. However, in this case, each log file still contains only the level of detail that corresponds to the level you set for its log type. For example, you might set the logging level to 1 for predefined logs on the Tanium Server and set the level to 91 for a custom log. In this case, the server generates log messages at level 91 for all log types and the custom log contains messages at level 91, but the predefined logs contain messages only at level 1.

Appliance: Create a custom log

Enter 2 to go to the Tanium Operations menu.

View screen

------------------------------------------------------

             >>> Tanium Operations Menu <<< 

         1: Tanium Service Control
         2: Tanium Configuration Settings
         4: Install Custom SOAP Cert
         5: Manage Custom Signing Keys
         7: Download SOAP Certificate
         9: Import CAC Certificate

         A: Configure Module Server(s)
         B: Configure Tanium Cluster
         C: Manage Content
         M: Module Operations

         I: Import public key to Tanium Zone Server

         X: Advanced Operations

         R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter 2 to go to the Configuration Settings menu.

View screen

------------------------------------------------------

 >>> Tanium Operations -> Configuration Settings <<< 

Note: Some settings may require a service restart to take effect.

          1: Edit Tanium Server Settings
          2: Edit Tanium Server TDL Settings
          3: Add Tanium Server TDL Auth User
          4: Add Tanium Server TDL Auth Cert

          5: Edit Tanium Module Server Settings
          6: Edit Tanium Module Server TDL Settings
          7: Add Tanium Module Server TDL Auth User
          8: Add Tanium Module Server TDL Auth Cert

          9: Edit Tanium Zone Server Settings
          11: Edit isolated subnets list
          12: Edit separated subnets list

          13: Control Root CA Certs

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter 1 to go to the Tanium Server Config Settings menu.

View screen

>>> Tanium Operations -> Configuration Settings -> Edit <<<
Editing: Tanium Server Config Settings

1: AddressMask 16777215
2: AllowedHubs 127.0.0.1
3: AuthPluginTimeoutSeconds 60
4: AuthenticationPlugin InternalPython:tanium_pam4/pam_workflow.py
5: ClientCertificateAuth /opt/Tanium/TaniumServer/cac.pem
6: ClientCertificateAuthField X509v3 Subject Alternative Name
7: ClientCertificateAuthRegex .*:\s(\d+)@.*
8: ConsoleSettingsJSON /opt/Tanium/TaniumServer/http/config/console.json
9: EnforceAllowedHubs 1
10 ForceSOAPSSLClientCert 1							
11: LogPath /opt/Tanium/TaniumServer/Logs
12: LogVerbosityLevel 1
13: ModuleServer 10.10.10.103,appliance-tms1.tam.local:17477
14: ModuleServerPort 17477
15: ReportingTLSCertPath /opt/Tanium/TaniumServer/reporting.crt
16: ReportingTLSKeyPath /opt/Tanium/TaniumServer/reporting.pvk
17: SQLConnectionString postgres:[email protected]=postgres dbname=tanium sslmode=require sslcert=/opt/Tanium/.postgresql/postgresql.crt sslkey=/opt/Tanium/.postgresql/postgresql.key sslcompression=1
18: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
19: SSLHonorCipherOrder 1
20: ServerPort 17472
21: ServerSOAPPort 8443
22: TrustedCertPath /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
23: TrustedHostList host1.example.com,192.168.0.1
24: Version 7.5.6.1095

A: Add a line
R: Return to previous menu  RR: Return to top

For each log setting (LogVerbosityLevel, LogPrefix, and FilterRegex), enter A to add the setting and then enter its value. Table 2 describes the settings. For the <log subject>, specify any text string to identify the purpose of the log.
- Logs.<log subject>.LogVerbosityLevel
- Logs.<log subject>.LogPrefix
- Logs.<log subject>.FilterRegex
For example, if the log is for troubleshooting common access card (CAC) authentication, you might specify the following values:
- Logs.CAC.LogVerbosityLevel = 41
- Logs.CAC.LogPrefix = CACAuthLog
- Logs.CAC.FilterRegex = .*Client Certificate auth.*

To review the log after the Appliance generates messages that match the filter:

Open a read-only (RO) restricted shell. See Tanium Appliance Deployment Guide: Open read-only restricted shell.
Go to the Logs directory:

cd /opt/Tanium/TaniumServer/Logs
List the directory contents:

ls -la

The following is an example of the output, including the custom log CACAuthLog:

total 1264
drwxr-x---. 2 tanium tanium 4096 Nov 16 21:24 .
drwxr-x---. 20 tanium tanium 4096 Nov 16 22:15 ..
-rw-r-----. 1 tanium tanium 685 Nov 16 21:28 CACAuthLog0.txt
-rw-r-----. 1 tanium tanium 2805 Oct 26 19:39 auth0.txt
-rw-r-----. 1 tanium tanium 322930 Oct 26 18:41 database-upgrade0.txt
-rw-r-----. 1 tanium tanium 857760 Nov 16 19:36 http-access0.txt
-rw-r-----. 1 tanium tanium 31873 Nov 16 20:01 log0.txt
-rw-r-----. 1 tanium tanium 27082 Nov 16 19:36 module-history0.txt
-rw-r-----. 1 tanium tanium 17223 Nov 16 19:33 package-cleaner0.txt
-rw-r-----. 1 tanium tanium 3300 Oct 26 18:46 pki0.txt
Display the custom log contents using standard UNIX commands such as more, cat, or tail:

more CACAuthLog0.txt
When you finish viewing the log contents, enter exit to close the shell.

Windows: Create a custom log for platform servers or clients

Perform the following steps using the command executables and options listed in Table 2 to create a custom log on a Tanium Core Platform server or Tanium Client that is installed on a Windows host.

Sign in to the host system of the platform server or Tanium Client.
Open the Command Prompt and navigate (cd) to the server or client installation directory.
Configure a regular expression for the custom log.

<executable> config set Logs.<log prefix>.FilterRegex "<filter regex>"
(Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

<executable> config set Logs.<log prefix>.LogVerbosityLevel <logging level>

macOS: Create a custom Tanium Client log

Perform the following steps using the command options listed in Table 2 to create a custom log on a managed macOS endpoint. The variable <Tanium Client> is the Tanium Client installation directory.

Sign in to the endpoint that hosts the Tanium Client.
Open the Terminal program.
Configure a regular expression for the custom log.

sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"
(Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>

Linux, Solaris, AIX: Create a custom Tanium Client log

Perform the following steps using the command options listed in Table 2 to create a custom log on a managed Linux, Solaris, or AIX endpoint. The variable <Tanium Client> is the Tanium Client installation directory.

Sign in to the endpoint that hosts the Tanium Client.
Configure a regular expression for the custom log.

sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"
(Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>

Contact Tanium Support

Tanium Support is your first contact for assistance with preparing for and performing an installation or upgrade, as well as verifying and troubleshooting the initial deployment. If you require further assistance from Tanium Support, please be sure to include version information for Tanium Core Platform components and specific details on dependencies, such as the host system hardware and OS details and database server version.

To contact Tanium Support for help, sign in to https://support.tanium.com.