Tanium™ Core Platform 7.3 Deployment Guide for Windows

PDF 7.3
PDF 7.2
  • All Files
Documentation Home > Tanium Core Platform Deployment Guide for Windows

Troubleshooting the deployment

This chapter covers procedures, settings, and logs that you can use to troubleshoot issues relating to the installation or upgrade of Tanium Core Platform servers.

Basic tips

  • Check with your Technical Account Manager (TAM) to ensure the Tanium™ software version is a recommended version.
  • Ensure all Tanium Core Platform components are the same version. For example, make sure all have build number 7.3.314.4103.
  • Ensure your environment meets the host system and network requirements: see Requirements.
  • Review any error messages reported to the user interface (see Tanium Core Platform Deployment Reference Guide: Tanium Console error log) or installation log file (see Tanium Core Platform Deployment Reference Guide: Logs).
  • If you encounter failed access messages when running an installer, examine the permissions for the logged in user.
  • If you encounter failed connections, use standard tools like ping and traceroute to verify basic connectivity. If those checks fail, work with your network administrator to diagnose. If those pass, it might be a certificate problem or firewall issue.
  • If the Tanium Console is unavailable, check the status of the Tanium Server service and the Tanium databases on the database server. The steps to check the status and restart (if necessary) the Tanium Server service vary by platform:
    • Windows infrastructure: You can find the Tanium Server service in the Windows Services program.
    • Tanium Appliance: Access the taniumserver service through the Tanium Operations menu: see Tanium Appliance Deployment Guide: Reference: Tanium Operations menu.
    • Cloud infrastructure: Access the Tanium Server CLI as root to see the status of the service (systemctl status taniumserver.service) or to restart it (systemctl restart taniumserver.service).

Troubleshoot server installation issues

After you install Tanium Core Platform servers, perform the steps under Verifying the Tanium Core Platform deployment to confirm that the installations succeeded. If verification fails:

  1. Check the status of the Windows service for the Tanium Server, Zone Server, Zone Server Hub, Module Server, and Tanium Client. Start any services that are not started.
  2. Check the Windows Registry on each server for typos or missing values: see Tanium Core Platform Deployment Reference Guide: Settings.
  3. Test connectivity from the Zone Server Hub to the Zone Server and from the Module Server to the Tanium Server. You can use whatever utility you like to test connectivity. The following example shows how to use Portqry at the CLI of the Zone Server Hub host to verify whether the Zone Server is listening on a specified port.

    c:\> portqry -n zs1.tam.local -p tcp -e 17472
    Querying target system called:
    zs1.tam.local
    Attempting to resolve name to IP address...
    Name resolved to 10.10.10.15
    querying...
    TCP port 17472 (unknown service): LISTENING
    c:\>

    If you can reach the server and get an answer (LISTENING), then basic connectivity is not the issue. If you cannot reach the server, you might need to work with your network and security administrators to resolve the issue.

  4. Verify that the server FQDNs resolve to an IP address through DNS. The preceding step uses Portqry as an example to show DNS resolution. You can also use nslookup at the CLI, as follows.

    c:\> nslookup <server_FQDN>
    Server: Unknown
    Address: 10.10.10.10
    Name: <server_FQDN>
    Address: 10.10.10.15

    If DNS resolution fails, work with your network administrator to resolve it. If DNS resolution is not possible, you can reconfigure the connection settings using IP addresses instead of FQDNs.

  5. If the preceding steps do not resolve the issue, generate logs as follows and then contact your TAM.
    1. Set the log verbosity level to 41 on the Tanium Client (see Client Deployment Guide: Tanium Client Settings) and on the Zone Server, Zone Server Hub, Module Server, and Tanium Server (see Tanium Core Platform Deployment Reference Guide: Settings).
    2. Reproduce the issue by re-asking the question you used to verify the deployment.
    3. Examine both the server and Tanium Client logs. Your TAM can also analyze the logs.

Limit Zone Serve cache storage

To optimize Tanium system performance, the Tanium Zone Server caches sensor definitions, configuration information, package files associated with actions, and files requested through the Tanium Client API. It provides these resources to Tanium Clients without having to re-request them from the Tanium Server. If the Zone Server has an unusually long startup time, this might indicate that the cache storage is taking too much disk space. The following steps describe how to limit the cache size and clear the cache. As a best practice, set the limit to whichever is the lesser value between 200GB and 60% of available disk space on the drive where the Zone Server is installed.

  1. Go to Administration > Global Settings and click New Setting.
  2. Configure the following values and click Save:
    • Setting Name: Enter zs_full_cache_limit_in_MB.
    • Setting Value: Enter the maximum storage space in megabytes for the Zone Server cache. The default is 0 (unlimited).
    • Affects: Select Server
    • Value Type: Select Numeric
  3. Access the Zone Server and stop the Zone Server service (Tanium ZoneServer).
  4. Remove all the files in the Zone Server cache (<Zone_Server>\Cache\HotCacheFile) to reinitialize it.
  5. Start the Zone Server service.

If you upgraded your Zone Server Hub from a version previous to 7.3 or later, the <Zone_Server>\Cache\HotCacheFile directory might have leftover files. Because these files are no longer needed in version 7.3 or later, you can remove them to save disk space and improve hub startup times.

Windows Registry

Many settings for Tanium Core Platform servers are added to the Windows Registry when you install the servers. If you encounter issues with an installation, you can review the registry entries for typos. For descriptions of the registry settings, see Tanium Core Platform Deployment Reference Guide: Settings.

Proxy server-related keys have entries only if you configured a proxy server. For details, see Tanium Console User Guide: Configuring proxy server settings.

Logs

Examine the following logs to troubleshoot issues. For details about the log locations and contents, see Tanium Core Platform logs.

Table 1:   Tanium Core Platform logs
Log file Description
Install.log The server installation log file indicates which actions completed successfully and which failed when installing a Tanium Core Platform server.
log<#>.txt The TDownloader logs might help you troubleshoot when importing Tanium content packs and solution modules or downloading updates to package files.
auth<#>.txt The authentication logs might help you troubleshoot issues when accessing the Tanium Console.
module-history<#>.txt The module-history logs might help you troubleshoot issues when Tanium solution modules execute plugins

Tanium Support

Your TAM is your first contact for assistance with preparing for and performing an installation or upgrade, as well as verifying and troubleshooting the initial deployment.

If you require further assistance from Tanium Support, please be sure to include version information for Tanium Core Platform components and specific details on dependencies, such as the host system hardware and OS details and database server version. Log into https://support.tanium.com and submit a new ticket or send us an email at [email protected]

Uninstall Tanium

Uninstall the Tanium Core Platform

If you no longer want to use the Tanium Core Platform, or you want to clean up completely before reinstalling:

  1. Uninstall the Tanium Core Platform servers: Tanium Server, Tanium Module Server, Tanium Zone Server, and Tanium Zone Server Hub. The order in which you uninstall the servers does not matter.
  2. Remove the Tanium databases (tanium and tanium_archive) from the database server.

Uninstall a Tanium Core Platform server

  1. Open the Windows Control Panel and use the Uninstall a program feature to uninstall a Tanium Core Platform server.

    The Windows program invokes the Tanium uninstaller, which stops and removes the Tanium service associated with the server and deletes Windows Registry entries (except the top entry for Tanium). Completely wiping the installation requires the following manual tasks that the installer does not perform.

  2. In the Windows Registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ and delete Tanium.
  3. In Windows Explorer, go to the Tanium installation location and delete the Tanium directory.
  4. Empty the Windows Recycle Bin.

Remove Tanium databases

Log into the database server as a database administrator and delete the tanium and tanium.archive databases.

Uninstall a Tanium module or Tanium Client

For information about uninstalling a Tanium solution module or Tanium Client, see the corresponding user guide.

Solution module Uninstall link
Tanium™ Asset User Guide
Tanium™ Client Tanium Client on Windows

Tanium Client on macOS

Tanium Client on Linux

Tanium Client on Solaris

Tanium Client on AIX

Tanium™ Comply User Guide
Tanium™ Connect User Guide
Tanium™ Deploy User Guide
Tanium™ Detect User Guide
Tanium™ Discover User Guide
Tanium™ Health Check User Guide
Tanium™ Incident Response Not applicable
Tanium™ Integrity Monitor User Guide
Tanium™ Interact User Guide
Tanium™ Map User Guide
Tanium™ Network Quarantine User Guide
Tanium™ Patch User Guide
Tanium™ Protect User Guide
Tanium™ Reveal User Guide
Tanium™ Threat Response User Guide
Tanium™ Trace User Guide
Tanium™ Trends User Guide

Last updated: 8/20/2019 1:19 PM | Feedback