Troubleshooting

Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.

Use the following procedures, settings, and logs to troubleshoot issues relating to the Tanium Console and Tanium Interact. For additional troubleshooting information, see the Tanium Support KB: Tanium Console.

Basic troubleshooting tips

  • Check with your Technical Account Manager (TAM) to ensure the Tanium™ software version is a recommended version.
  • Ensure all Tanium Core Platform components are the same version. For example, make sure all have build number 7.4.3.1242. The Build number appears at the top right of the Tanium Console, below your user name.
  • Review any error messages reported to the Tanium Console: see View and copy the Tanium Console error log.
  • If the Tanium Console is unavailable, check the status of the Tanium databases on the database server. Also check the status of the Tanium Server service and, if necessary, restart it: see Manage the Tanium Server service.
  • If authentication errors prevent access to the Tanium Console, check the authentication logs (auth<#>.txt) in the <Tanium_Server>/Logs directory.

Manage the Tanium Server service

The steps to check the status of, and restart, the Tanium Server service vary by platform:

View and copy the Tanium Console error log

The Tanium Console maintains an error log on the local host computer for your web browser. It includes details on the last 100 errors that were returned to the console in response to actions that you performed through the browser. For example, the log records errors that are associated with attempting to save a configuration or import a content file. The console maintains a separate log for each browser that you use.

To view the log, click the selector next to the logged in username and select Local Error Log.

Click Copy to copy the log details to the clipboard.


Collect Interact logs

To send information to Tanium™ Support for troubleshooting Tanium Interact, collect logs and other relevant information as follows. The information is saved as a ZIP file that you can download through your browser.

  1. From the Interact Home page, click Help .
  2. In the Troubleshooting section, click Download Support Package.
    A tanium-interact-support-<date-time>.zip file downloads to the local download directory.
  3. Attach the ZIP file to your Tanium Support case form or send it to your TAM.

Monitor Tanium Client registration and communication

From the Main menu, select Administration > Management > System Status to see the real-time status of Tanium Client registration and communication.

You must have a role with the Read System Status (micro admin) permission to see the System Status page and filter the table. Users with the Admin Administrator reserved role have this permission.

Table 1:   System Status columns
Column Description
Host Name Computer hostname.
Network Location (from client) Client IP address returned from a sensor on the client.
Network Location (from server) Client IP address recorded on the server during the last registration.
Direction The circle represents the client, and arrows in relation to the circle represent connections. For a list of possible connection states, see Table 2.
Valid Key No indicates a problem with the public key that has been installed with the Tanium Client. Redeploy the public key file or reinstall the Tanium Client.
Send State
  • Backward Only
  • Forward Only
  • None
  • Normal
Receive State
  • Next Only
  • Previous Only
  • None
  • Normal
Status The Connection Status of each Tanium Client is either Normal or one or more of the following states:
  • Slow Link
  • Leader
  • Blocked
Last Registration Timestamp of the last time the Tanium Client registered with the server.
Protocol Version Tanium protocol version. This column is hidden by default.
Version Tanium Client version.

The Direction column displays icons to depict Tanium Client connection states. The icons use the following conventions:

  • An up arrow indicates a connection with the Tanium Server or Zone Server.
  • Side arrows pointing away from the client indicate outbound connections to peers.
  • Side arrows pointing at the client indicate inbound connections from peers.
  • Side arrows on the right side of clients indicate the state of connections to forward peers.
  • Side arrows on the left side of clients indicate the state of connections to backward peers.
  • Side arrows with dashed lines indicate slow connections.

You can use the Direction column to understand the reasons that the client is a leader and to identify connection issues. The following table lists the possible connection states:

Table 2:   Tanium Client peer connection states
Attribute Value Description
Leader Backward

Backward leader

The client is a backward leader that terminates one end of a linear chain. It typically has the lowest IP address in its linear chain.
Forward

Forwared leader

The client is a forward leader that terminates one end of a linear chain. It typically has the highest IP address in its linear chain.
Neighborhood

Leader

The client is designated as a neighborhood leader because its linear chain has reached the maximum number of clients.
Isolated

No peering

The client is an isolated leader that connects only to the Tanium Server or Zone Server, and has no connections to other clients. The client might be isolated because its IP address falls within the range of an isolated subnet or because it has no peers in its local subnet with which to connect.
Neighbor No side arrows

No peering

This is the same as an isolated leader.
Single side arrow

inbound only or outbound only

The client has a neighborhood list of peers but has not established a peer connection. This state generally results from a misconfiguration, such as when a host-based firewall on the endpoint does not allow inbound connections to the client.
Double side arrows

inbound and outbound connections

The client has a neighborhood list of peers and has connected with peers in the indicated direction.
Client state Normal

inbound and outbound connections

The client is communicating normally.
Blocked

blocked

The client is not communicating reliably. This might result from a network issue or host resource issue, such as an antivirus program that slows the client.

Configure server logging levels

Your TAM might instruct you to change the log verbosity levels for the Tanium Server and Tanium Module Server when troubleshooting issues.

You require the Administrator reserved role to see and use the Configuration > Common > Log Level page.

  1. From the Main menu, select Administration > Configuration > Common and click Log Level.
  2. Set the logging levels. The following decimal values are best practices for specific use cases.
    • 0: Logging disabled.
    • 1: Normal log level.
    • 41: Best practice value during troubleshooting.
    • 91 or higher: Most detailed log level. Enable for short periods of time only.
  3. Save your changes.

View plugins and plugin schedules

A plugin is an extension to a Tanium Core Platform component or solution module. A scheduled plugin is a process that is set to run at a specified interval. Plugin operations are usually transparent to users. However, your TAM might instruct you to review plugin details when troubleshooting unexpected behavior.

Only users assigned the Administrator reserved role can access the Configuration pages for viewing plugin information.

To see details about installed plugins, go to the Main menu, select Administration > Configuration > Common and click Plugins.

To see details about scheduled plugins, go to the Main menu, select Administration > Configuration > Common and click Plugin Schedules.

To review the history of plugin executions, see the module-history<#>.txt logs in the <Module_Server>/Logs folder on the Tanium Module Server.

View usage for the package file repository

By default, the Tanium Server stores the package files that it downloads to Tanium Clients in the <Tanium Server>\Downloads folder. Your TAM might instruct you to monitor usage for this repository when troubleshooting download issues.

Only users assigned the Administrator reserved role can see and use the Administration > Configuration > Tanium Server > Package File Repository page.

From the Main menu, select Administration > Configuration > Tanium Server > Package File Repository and review the information.

Monitor resource usage for sensor results collection

The Tanium Data Service collects and stores the results of all sensors that are registered for collection so that users can see those results for offline endpoints when issuing questions. Sensor collection consumes resources such as network bandwidth, processing on endpoints, and disk space on the Tanium Server. Resource consumption increases with the cardinality of sensors. For example, the IP Address sensor produces a unique result string for each queried endpoint, whereas the Operating System (OS) sensor produces the same string for all endpoints that have the same OS. In this case, the high cardinality IP Address sensor requires more bandwidth, CPU usage, and storage. Interact provides charts that enable you to visualize resource usage metrics related to results collection.

For more details and procedures related to sensor results collection, see Manage sensor results collection.

  1. Go to the Interact Home page and click Info Information.
  2. Review the following charts:
    • Data Service Status: This chart displays metrics related to sensor collection processes. By default, the Tanium Data Service runs the Data Collection process every hour to collect results for registered sensors and runs the Garbage Collection process every 15 minutes to remove expired result strings. The chart uses the following icons. Hover over an icon to display details about a specific process instance.
      • Success: process that completed successfully
      • Refresh: process that is currently running
      • Error: process with errors
      • Future: pending process
    • Data Service Sensor Metrics: Use these charts to determine whether specific sensors are generating result strings that consume too much storage.
    • Data Service Database Metrics: These charts are not relevant to user operations.

If you determine that sensor collection consumes too many resources, consider the following solutions:

View the info page

Your TAM might instruct you to review settings or counters displayed on the info page.

  1. Open a browser and go to https://<FQDN>/info.
  2. When prompted, specify credentials for a user assigned the Administrator reserved role.



Tanium Support

Your TAM is your first contact for assistance with preparing for and performing an installation or upgrade, as well as verifying and troubleshooting the initial deployment. If you require further assistance from Tanium Support, please be sure to include version information for Tanium Core Platform components and specific details on dependencies, such as the host system hardware and OS details and database server version. You can also send Tanium Support a collection of logs and other information as a ZIP file: see Collect Interact logs. Log into https://support.tanium.com and submit a new ticket or send us an email at [email protected]