Troubleshooting

Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.

Use the following procedures, settings, and logs to troubleshoot issues relating to the Tanium Console and Tanium Interact. For additional troubleshooting information, see the Tanium Support KB: Tanium Console.

For the role permissions that are required to perform troubleshooting tasks, see Troubleshooting permissions.

Basic troubleshooting tips

Manage the Tanium Server service

The steps to check the status of, and restart, the Tanium Server service vary by platform:

View and copy the Console error log

The Tanium Console maintains an error log on the local host computer for your web browser. It includes details on the last 100 errors that were returned to the console in response to actions that you performed through the browser. For example, the log records errors that are associated with attempting to save a configuration or import a content file. The console maintains a separate log for each browser that you use.

  1. In the Main menu, expand the <user name> drop-down menu and select Local Error Log.
  2. (Optional) Expand Expand a log entry and click Copy Copy to copy the log details to the clipboard.

Collect Interact logs

To send information to Tanium Support for troubleshooting Tanium Interact, collect logs and other relevant information as follows. The information is saved as a ZIP file that you can download through your browser.

  1. From the Interact Overview page, click Help .
  2. In the Troubleshooting section, click Download Support Package.
    A tanium-interact-support-<date-time>.zip file downloads to the local download directory.
  3. Attach the ZIP file to your Tanium Support case form or send to Tanium Support.

Troubleshoot Tanium Client connectivity

The Client Status page displays information about the state of Tanium Client registration and connectivity, and enables you to deploy actions to remediate issues.

To see the Client Status page and filter its grid, you require a role with the Client Status read permission. Users with the AdminAdministrator reserved role have this permission.

View the status of Tanium Client registration and communication

  1. From the Main menu, go to Administration > Configuration > Client Status.
  2. (Optional) To display status details only for specific Tanium Clients, edit the default filter settings, such as the registration intervals and connection status.


The following table lists the information that the Client Status page displays for each Tanium Client:

 Table 1: Client Status columns
Column Description
Host Name Endpoint host name.
Network Location (from client) Client IP address returned from a sensor on the client.
Network Location (from server) Client IP address recorded on the Tanium Server or Zone Server during the last registration.
Direction A circle represents the client and arrows represent its connections. For a list of possible connection states, see Table 2.
Valid Key No indicates an issue with the public key that the Tanium Client uses to secure communication with other Tanium Core Platform components. To resolve the issue, reinstall the Tanium Client (see Tanium Client Management User GuideDeploying the Tanium Client) or redeploy the key (see Download infrastructure configuration files (keys)).
Send State
  • Normal: The client is sending data to its backward and forward peers.
  • None: The client is not sending data to its forward or backward peers.
  • Forward Only: The client is sending data to its forward peer but not to its backward peer.
  • Backward Only: The client is sending data to its backward peer but not to its forward peer.
Receive State
  • Normal: The client is receiving data from its backward and forward peers.
  • None: The client is not receiving data from its forward or backward peers.
  • Next Only: The client is receiving data from its forward peer but not from its backward peer.
  • Previous Only: The client is receiving data from its backward peer but not from its forward peer.
Status
  • Normal: The client is communicating normally.
  • Slow Link: The client has connections with abnormally slow throughput.
  • Leader: The client is communicating with the Tanium Server or Zone Server because it is a backward leader, a forward leader, a neighborhood leader, or a client with no peer connections (such as a client in an isolated subnet).
  • Blocked: The client is not communicating reliably.
Registration Error (Salesforce deployments only) The client can be in one of the following registration states:
  • None: Registration succeeded
  • Failed Client Challenge: Registration failed because the client did not present the registration secret that is contained in the tanium-init.dat file.
  • Failed Server Challenge: Registration failed because mismatching Tanium root keys prevented TaaS from establishing trust with the client or other Tanium Core Platform components.
  • Root Key Mismatch: Registration failed due to any other issue related to mismatching Tanium root keys.
  • Exceeded License Seats: TaaS denied registration for the client because the number of active clients exceeded the limit that the Tanium license specifies. Clients are considered active if they registered within the last two days.

To resolve issues that relate to the Tanium root key or registration secret, re-install the Tanium Client on the affected endpoints. Contact Tanium Support (sign in to https://support.tanium.com) for a new Tanium license if you want to change the maximum number of active clients.

Last Registration Date and time when the Tanium Client last registered with the Tanium Server or Zone Server.
Protocol Version (hidden by default) Tanium Protocol version. For details about the protocol, see TLS communication.
Version Tanium Client version.

The Direction column displays icons that use the following conventions to depict Tanium Client connection states:

  • An up arrow indicates a connection with TaaS the Tanium Server or Zone Server.
  • Side arrows pointing away from the client indicate outbound connections to peers.
  • Side arrows pointing at the client indicate inbound connections from peers.
  • Side arrows on the right side of clients indicate the state of connections to forward peers.
  • Side arrows on the left side of clients indicate the state of connections to backward peers.
  • Side arrows with dashed lines indicate slow connections.

You can use the Direction column to understand why a Tanium Client is a leader and to identify connection issues. The following table lists the possible connection states:

 Table 2: Tanium Client peer connection states
Attribute Value Description
Leader Backward

Backward leader

The client is a backward leader that terminates one end of a linear chain. It typically has the lowest IP address in its linear chain.
Forward

Forwared leader

The client is a forward leader that terminates one end of a linear chain. It typically has the highest IP address in its linear chain.
Neighborhood

Leader

The client is designated as a neighborhood leader because its linear chain has reached the maximum number of clients.
Isolated

No peering

The client is an isolated leader that connects only to TaaS the Tanium Server or Zone Server, and has no connections to other clients. The client might be isolated because its IP address falls within the range of an isolated subnet or because it has no peers in its local subnet with which to connect.
Neighbor No side arrows

No peering

This is the same as an isolated leader.
Single side arrow

inbound only or outbound only

The client has a neighborhood list of peers but has not established a peer connection. This state generally results from a misconfiguration, such as when a host-based firewall on the endpoint does not allow inbound connections to the client.
Double side arrows

inbound and outbound connections

The client has a neighborhood list of peers and has connected with peers in the indicated direction.
Client state Normal

inbound and outbound connections

The client is communicating normally.
Blocked

blocked

The client is not communicating reliably. This might result from a network issue or host resource issue, such as an anti-virus program that slows the client.

Export Tanium Client status details

Export information in the Client Status page as a CSV file or, if you have the AdminAdministrator reserved role, as a JSON file.

  1. From the Main menu, go to Administration > Configuration > Client Status.
  2. Select rows in the grid to export information for specific Tanium Clients. If you want to export information for all clients, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: information for All clients in the grid or only for the Selected clients.
  6. Select the file Format: JSON (AdminAdministrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Copy Tanium Client status details

Copy information from the Client Status page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Configuration > Client Status.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Deploy actions to remediate client registration or connectivity issues

You can deploy actions to Tanium Clients to remediate issues that you observe in the Client Status page. For example, if you want certain clients to register with a Tanium Zone Server instead of the Tanium Server, you can deploy the Set Tanium Server Name List package to change the ServerNameList setting on those clients.

  1. From the Main menu, go to Administration > Configuration > Client Status.
  2. Select the Tanium Clients to which you want to deploy actions and click Deploy Action.
  3. Deploy the action.
  4. Review the Client Status grid to verify that the action produced the expected result.

Configure server logging levels

Tanium Support might instruct you to change the log verbosity levels for the Tanium Server and Tanium Module Server when troubleshooting issues.

You require the Administrator reserved role to see and use the Logging page.

  1. From the Main menu, go to Administration > Configuration > Logging.
  2. Set the logging levels and click Save.

    The following decimal values are best practices for specific use cases.

    • 0: Logging disabled.
    • 1: Normal log level.
    • 41: Best practice value during troubleshooting.
    • 91 or higher: Most detailed log level. Enable for short periods of time only.

View plugins and plugin schedules

A plugin is an extension to a Tanium Core Platform component, module, or shared service. A scheduled plugin is a process that is set to run at a specified interval. Plugin operations are usually transparent to users. However, Tanium Support might instruct you to review plugin details when troubleshooting unexpected behavior.

Only users who are assigned the Administrator reserved role can access the Configuration pages for viewing plugin information.

To see details about installed plugins and scheduled plugins, from the Main menu go to Administration > Configuration > Plugins. The Plugins page displays separate grids for installed plugins and scheduled plugins.

To review the history of plugin executions, see the module-history<#>.txt logs in the <Module_Server>/Logs folder on the Tanium Module Server.

View package file repository usage

By default, the Tanium Server stores the package files that it downloads to Tanium Clients in the <Tanium Server>\Downloads folder. Tanium Support might instruct you to monitor usage for this repository when troubleshooting download issues.

Only users who have the Administrator reserved role can see and use the Package File Repository page.

From the Main menu, go to Administration > Configuration > Package File Repository and review the information.


Monitor resource usage for sensor results collection

The Tanium Data Service collects and stores the results of all sensors that are registered for collection so that users can see those results for offline endpoints when issuing questions. Sensor collection consumes resources such as network bandwidth, processing on endpoints, and disk space on the Tanium Server. Resource consumption increases with the cardinality of sensors. For example, the IP Address sensor produces a unique result string for each queried endpoint, whereas the Operating System (OS) sensor produces the same string for all endpoints that have the same OS. In this case, the high cardinality IP Address sensor requires more bandwidth, CPU usage, and storage. Interact provides charts that enable you to visualize resource usage metrics related to results collection.

For more details and procedures related to sensor results collection, see Manage sensor results collection.

  1. Go to the Interact Overview page and click Info Information.
  2. Review the following charts:
    • Harvest Metrics: These charts display metrics related to the number of database rows that are processed when question results are collected for registered sensors. These charts only display when the Continuous Harvest option is selected. For more information, see Configure advanced settings for sensor collection.
    • Data Service Status: This chart displays metrics related to sensor collection processes when the Continuous Harvest option is deselected. By default, the Tanium Data Service runs the Data Collection process every hour to collect results for registered sensors and runs the Garbage Collection process every 15 minutes to remove expired result strings. The chart uses the following icons. Hover over an icon to display details about a specific process instance.
      • Success: process that completed successfully
      • Refresh: process that is currently running
      • Error: process with errors
      • Future: pending process
    • Data Service Sensor Metrics: Use these charts to determine whether specific sensors are generating result strings that consume too much storage.
    • Data Service Database Metrics: These charts provide indicators on the disk space usage for the Tanium Data Service. The Database Key Size and Database Value Size charts show usage in bytes.
    • Data Service Resource Consumption Metrics: Use these charts to determine the resource usage for the Tanium Data Service.

If you determine that sensor collection consumes too many resources, consider the following solutions:

View the info page

Tanium Support might instruct you to review settings or counters displayed on the info page.

  1. Open a browser and go to https://<FQDN>/info.
  2. When prompted, specify credentials for a user assigned the Administrator reserved role.





Contact Tanium Support

Tanium Support is your first contact for assistance with preparing for and performing an installation or upgrade, as well as verifying and troubleshooting the initial deployment. If you require further assistance from Tanium Support, please be sure to include version information for Tanium Core Platform components and specific details on dependencies, such as the host system hardware and OS details and database server version. You can also send Tanium Support a collection of logs and other information as a ZIP file: see Collect Interact logs.

To contact Tanium Support for help, sign in to https://support.tanium.com.