Logs

The logs for Tanium Core Platform servers do not apply in a Tanium Cloud deployment.

Tanium Cloud is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium Cloud Deployment Guide: Troubleshooting Tanium Cloud.

Overview

Tanium Core Platform servers and Tanium Clients generate several predefined logs that you can use to diagnose issues and unexpected behavior. You can also configure custom logs that copy specific content from the predefined logs based on a filter: see Create a custom log. The logging level determines how much detail logs record. The following logging levels are best practices for specific use cases:

  • 0: Logging disabled.
  • 1: Normal (default) logging level.
  • 41: Best practice value during troubleshooting.
  • 91 or higher: Most detailed logging level. Because this level consumes the most resources, enable it for short periods only.

To change the logging level through the Tanium Console for the Tanium Server and Tanium Module Server, see Tanium Console User Guide: Configure server logging levels. You can also change the logging level for platform servers by configuring the LogVerbosityLevel settings (see Tanium Core Platform settings) through the CLI on Windows: CLI or through the TanOS menus on the Tanium Appliance. To change the logging level of custom logs, see Create a custom log.

For information about Tanium Client logs, see Tanium Client Management User Guide: Troubleshooting.

Tanium Appliance

The Tanium Appliance supports the following log features:

Windows

To view Tanium Core Platform logs, you require access to the platform server hosts. In the following log file locations, variables such as <Tanium Server> represent the server installation directories.

Action scheduler logs

  • Content: Records events and issues that relate to scheduled actions. For example, the logs record information about why the Tanium Server did or did not deploy the actions. If you set the logging level to 1 (default) or 41, the server generates the logs only if errors occurred (such as actions failing to deploy). To record additional details for normal (successful) operations of scheduled actions, set the logging level to 91.
  • Location and file name: <Tanium Server>\Logs\action-scheduler<#>.txt

Authentication logs

  • Content: Records user access to the Tanium Console or API through all authentication methods.
  • Location and file name: <Tanium Server>\Logs\auth<#>.txt

Database upgrade logs

  • Content: Record actions that the Tanium Server installer performs on Tanium database schemas when you upgrade the Tanium Core Platform.
  • Location and file name: <Tanium Server>\Logs\database-upgrade<#>.txt

HTTP connection logs

HTTP connection logs are available in Tanium Core Platform 7.3 or later.

  • Content: Records attempts to connect to the Tanium Server. For example, the logs record registration attempts by Tanium Clients or the Zone Server.
  • Location and file name: <Tanium Server>\Logs\http-access<#>.txt

Installation logs

  • Content: Records actions that the installer for a Tanium Core Platform server performs during installations and upgrades. If you encounter issues with your installation, examine the logs to see which actions completed successfully and which failed. Each time you run the installer, it appends the actions for that execution to the end of the file instead of rolling over the file.
  • Location and file name:
    • Tanium Server: <Tanium Server>\Install.txt
    • Tanium Module Server: <Module Server>\Install.txt
    • Tanium Zone Server: <Zone Server>\Install.txt

LDAP logs

  • Content: Records LDAP synchronization and authentication events for interactions between the Tanium Server and LDAP servers.
  • Location and file name: <Tanium Server>\Logs\ldap<#>.txt

    At any given time in an active-active deployment, only one Tanium Server performs synchronization and records synchronization events in its LDAP logs.

Module plugin history logs

Module plugin history logs are available in Tanium Core Platform 7.3 or later.

  • Content: Records plugin executions. A plugin is an extension to a Tanium Core Platform component or solution module. Plugin operations are usually transparent to users. However, Tanium Support might instruct you to review plugin details when troubleshooting unexpected behavior (contact [email protected]).
  • Location and file name:
    • Tanium Server: <Tanium Server>\Logs\module-history<#>.txt
    • Tanium Module Server: <Module Server>\Logs\module-history<#>.txt

Package cache cleaner logs

  • Content: Records which package files the Tanium Server removed from the chunk cache because the packages no longer exist, the files expired, or the server replaced the files with updated versions.
  • Location and file name: <Tanium Server>\Logs\package-cleaner<#>.txt

PKI logs

PKI logs are available in Tanium Core Platform 7.4 or later.

  • Content: Records events related to the use of digital keys when Tanium Core Platform components prove their identity to each other. The logs also record events related to trust approvals and denials among Tanium Servers, Zone Servers, and Zone Server Hubs.
  • Location and file name:
    • Tanium Server: <Tanium Server>\Logs\pki<#>.txt
    • Tanium Module Server: <Module Server>\Logs\pki<#>.txt
    • Tanium Zone Server: <Zone Server>\Logs\pki<#>.txt
    • Tanium Zone Server Hub (if the hub is not on the Tanium Server): <Zone_Server_Hub_installation_folder>\Logs\pki<#>.txt

RBAC logs

  • Content: Records events related to Tanium role-based access control (RBAC). For example, when the Tanium Server denies users access to a resource, the logs indicate which required permissions are missing in the user roles.
  • Location and file name: <Tanium Server>\Logs\rbac<#>.txt

Server logs

  • Content: These are the main logs for each Tanium Core Platform server, and record all events that the other log types do not capture.
  • Location and file name:
    • Tanium Server: <Tanium Server>\Logs\log<#>.txt
    • Tanium Module Server: <Module Server>\Logs\log<#>.txt
    • Tanium Zone Server: <Zone Server>\Logs\log<#>.txt

Tanium Data Service logs

  • Content: Records operations related to collecting results for sensors that are registered for automatic collection. For each question that the Tanium Server issues to collect sensor results, the log has an entry that indicates the issue date-time, the question ID (Harvesting qid), and information about each sensor in the question.
  • Location and file name: <Module Server>\services\tanium-data-files\tanium-data.log<#>.txt

TDownloader logs

  • Content: History of the actions that the TDownloader service performs when it downloads files from Tanium and other Internet locations. The logs include proxy server connection status events when applicable. The TDownloader logs might help you troubleshoot when importing Tanium content packs and solution modules or downloading updates to package files.
  • Location and file name:
    • Tanium Server: <Tanium Server>\TDL_Logs\log<#>.txt
    • Tanium Module Server: <Module Server>\TDL_Logs\log<#>.txt

If the TDownloader logs indicate certificate errors, you can update the certificates that the service uses for downloads authentication. See Tanium Console User Guide: Managing downloads authentication.

Log rollover

To clear space for new logs, Tanium Core Platform servers roll over and compress existing logs when they exceed the maximum log size (10 MB) and maximum number of logs. The maximum number of log files varies by log type and format. By default, custom log types have a maximum of 10 plain text logs and 10 ZIP logs.

 Table 1: Number of log files
Log File Name Plain Text ZIP
action-scheduler<#>.txt 10 10
authlog<#>.txt 10 10
database-upgrade<#>.txt 10 10
download-catalog-cleaner<#>.txt 10 10
http-access<#>.txt 2 3
ldap<#>.txt 10 10
log<#>.txt (main server log for each Tanium Core Platform server) 10 10
log<#>.txt (TDownloader log) 10 0
module-history<#>.txt 2 3
package-cleaner<#>.txt 10 10
pki<#>.txt 10 10
rbac<#>.txt 10 10

The rollover process is as follows, where <log_type#>.txt is the log file name (such as log0.txt):

Plain text logs

When the first log file <log_type>0.txt reaches 10 MB in size, it is renamed <log_type>1.txt and a new <log_type>0.txt is created. When <log_type>0.txt again reaches 10 MB, <log_type>1.txt is renamed <log_type>2.txt, <log_type>0.txt is again renamed <log_type>1.txt, and <log_type>0.txt is again recreated. The process of rolling logs whenever <log_type>0.txt reaches 10 MB continues until the maximum number of plain-text logs exist. For example, each Tanium Core Platform server log has a maximum of 10 plain-text logs: log0.txt to log9.txt.

ZIP logs

After recording the maximum number of plain-text logs, the oldest log is compressed. For example, log9.txt is saved as log10.zip. When <log_type>0.txt again reaches 10 MB, the file name of the first ZIP log is incremented (for example, log10.zip becomes log11.zip and the oldest plain-text log is again compressed and replaces the first ZIP log. The ZIP file rollover process continues until the maximum number of ZIP files exist. For example, each Tanium Core Platform server log has a maximum of 10 ZIP files: log10.zip to log19.zip. When <log_type>0.txt reaches 10 MB again after that, the first ZIP log is created again (such as log10.zip) but the oldest ZIP log (such as log19.zip) is not renamed and is effectively dropped because the second oldest ZIP file replaces it (for example, log18.zip becomes the new log19.zip).

Create a custom log

If you want to troubleshoot only specific information in predefined Tanium logs, you can configure a Tanium Core Platform server or Tanium Client to filter the logs based on a regular expression and to copy the matching content to a custom log. Custom logs are especially useful if you set a high logging level for the predefined logs such that they roll over too quickly and record too much information for you to easily find specific issues. You can create as many custom logs as necessary and base each one on a different filter. After you configure a new log type, the platform server or client creates a custom log file upon recording an event in a predefined log that matches the regular expression. Thereafter, whenever the predefined logs record additional events that match the filter, the server or client copies those records to the custom log.

Log filtering can consume significant resources on a server or client, especially if you set a high logging level. Therefore, the best practice is to remove custom logs after you finish a troubleshooting session. For more information, see the logging level setting in Table 2.

The following procedures describe how to configure custom logs using the TanOS console (Appliance) or using the CLI command executables and options listed in Table 2 (Tanium Clients or platform servers on Windows).

 Table 2: CLI command executables and options for custom logs
Executable/Option Description
<executable> The Tanium Client and Tanium Core Platform servers use the following executables for running CLI commands. The executables reside in the server or client installation directory.
  • Tanium Server: TaniumReceiver
  • Module Server: TaniumModuleServer
  • Zone Server or Zone Serve Hub: TaniumZoneServer
  • Tanium Client: TaniumClient
<log prefix> The log file prefix. The server or client automatically appends a number to the prefix and adds the suffix (.txt) upon generating the log. For example, if you enter CompletedRegistrations as the prefix for a custom client log, the first file that the client generates for that log type is CompletedRegistrations0.txt.
<filter regex> The regular expression to use for filtering the predefined logs. The server or client copies log entries that match the filter to the custom log.

The filter applies only to log messages, not to thread names, thread IDs, or timestamps.

The following are examples of useful filter expressions for Tanium Server logs:

  • .*Begin MiniDumper.* records messages about application crashes.

  • .*Failing to sync sensors.* identifies sensor synchronization failures.
  • .*msg=NoMaxAgeFound.* records instances where the Tanium Server issues a question that uses deleted sensors.
  • .*Client Certificate auth.* records authentication messages relating to Tanium Client certificates. This is useful for troubleshooting smart card (common access card) authentication issues. See Troubleshoot smart card authentication.

The following are examples of useful filter expressions for Tanium Server or Zone Server logs:

  • .*Begin registration.* identifies Tanium Clients that are trying to register.
  • .*Registration complete.* identifies clients that successfully registered.
<logging level>

The logging level of the custom log. For details, see Overview.

Higher logging levels consume more resources on the server or client. If different custom log types have different levels, the server or client generates all log types at the highest level that is set for any custom log type. This ensures that filter matching applies to all log messages at the highest configured level. However, in this case, each log file still contains only the level of detail that corresponds to the level you set for its log type. For example, you might set the logging level to 1 for predefined logs on the Tanium Server and set the level to 91 for a custom log. In this case, the server generates log messages at level 91 for all log types and the custom log contains messages at level 91, but the predefined logs contain messages only at level 1.

Appliance: Create a custom log

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 1 to go to the Tanium Server Config Settings menu. ClosedView screen
  5. For each log setting (LogVerbosityLevel, LogPrefix, and FilterRegex), enter A to add the setting and then enter its value. Table 2 describes the settings. For the <log subject>, specify any text string to identify the purpose of the log.
    • Logs.<log subject>.LogVerbosityLevel
    • Logs.<log subject>.LogPrefix

    • Logs.<log subject>.FilterRegex

    For example, if the log is for troubleshooting common access card (CAC) authentication, you might specify the following values:

    • Logs.CAC.LogVerbosityLevel = 41
    • Logs.CAC.LogPrefix = CACAuthLog

    • Logs.CAC.FilterRegex = .*Client Certificate auth.*

To review the log after the Appliance generates messages that match the filter:

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 5 to go to the Shell Keys menu. ClosedView screen
  4. Enter O and enter yes at the prompt to open a read-only (RO) shell. ClosedView screen
  5. Go to the Logs directory:

    cd /opt/Tanium/TaniumServer/Logs

  6. List the directory contents:

    ls -la

    The following is an example of the output, including the custom log CACAuthLog:

    total 1264
    drwxr-x---. 2 tanium tanium 4096 Nov 16 21:24 .
    drwxr-x---. 20 tanium tanium 4096 Nov 16 22:15 ..
    -rw-r-----. 1 tanium tanium 685 Nov 16 21:28 CACAuthLog0.txt
    -rw-r-----. 1 tanium tanium 2805 Oct 26 19:39 auth0.txt
    -rw-r-----. 1 tanium tanium 322930 Oct 26 18:41 database-upgrade0.txt
    -rw-r-----. 1 tanium tanium 857760 Nov 16 19:36 http-access0.txt
    -rw-r-----. 1 tanium tanium 31873 Nov 16 20:01 log0.txt
    -rw-r-----. 1 tanium tanium 27082 Nov 16 19:36 module-history0.txt
    -rw-r-----. 1 tanium tanium 17223 Nov 16 19:33 package-cleaner0.txt
    -rw-r-----. 1 tanium tanium 3300 Oct 26 18:46 pki0.txt

  7. Display the custom log contents using standard UNIX commands such as more, cat, or tail:

    more CACAuthLog0.txt

  8. When you finish viewing the log contents, enter exit to close the shell.

Windows: Create a custom log for platform servers or clients

Perform the following steps using the command executables and options listed in Table 2 to create a custom log on a Tanium Core Platform server or Tanium Client that is installed on a Windows host.

  1. Sign in to the host system of the platform server or Tanium Client.

  2. Open the Command Prompt and navigate (cd) to the server or client installation directory.

  3. Configure a regular expression for the custom log.

    <executable> config set Logs.<log prefix>.FilterRegex "<filter regex>"

  4. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

    <executable> config set Logs.<log prefix>.LogVerbosityLevel <logging level>

macOS: Create a custom Tanium Client log

Perform the following steps using the command options listed in Table 2 to create a custom log on a managed macOS endpoint. The variable <Tanium Client> is the Tanium Client installation directory.

  1. Sign in to the endpoint that hosts the Tanium Client.

  2. Open the Terminal program.
  3. Configure a regular expression for the custom log.

    sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"

  4. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

    sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>

Linux, Solaris, AIX: Create a custom Tanium Client log

Perform the following steps using the command options listed in Table 2 to create a custom log on a managed Linux, Solaris, or AIX endpoint. The variable <Tanium Client> is the Tanium Client installation directory.

  1. Sign in to the endpoint that hosts the Tanium Client.

  2. Configure a regular expression for the custom log.

    sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"

  3. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

    sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>