Troubleshooting Reveal

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Collect logs

The information is saved as a ZIP file that you can download with your browser. You must be assigned the Reveal Administrator role to create and download a support package.

1. From the Reveal Overview page, click Help , then the Troubleshooting tab.
2. Click Create Package. When the status shows that the package is complete, click Download Package.
3. A reveal-troubleshooting.zip file downloads to the local download directory.
4. Attach the ZIP file to your Tanium Support case form or Contact Tanium Support.

Tanium Reveal maintains logging information in the reveal.log and reveal-audit.log files in the <Module Server>\services\reveal-files\logs directory.

Identify and resolve issues with client extensions

Use the following steps to troubleshoot issues with the client extensions that Reveal installs and uses. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.

To review the client extensions that Reveal installs and uses, see Client extensions.

1. To review the health of client extensions or to start an investigation into an existing error, ask a question using the Client Extensions - Status or Reveal - Tools Version sensor.

   The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Filter the results and drill down as necessary to investigate results that indicate errors.

   Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.

2. Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Remove Reveal tools from endpoints and Endpoint Configuration User Guide: Uninstall a tool installed by Endpoint Configuration.

   When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

   Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.

3. Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:

   Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Reveal from all machines with Endpoint Configuration - Tools Status:Tool Name contains Reveal

   Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:

   Error Condition	Possible Resolution
   No error appears, but an available new version has not been installed	Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the Endpoint Configuration manifest has not updated on the endpoint, usually for one of the following reasons: The manifest update is still pending. Either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest. Action lock is enabled on the endpoint. Follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest to identify endpoints with action lock turned on. Reveal is no longer installed, or it is no longer targeting the endpoint. In some cases, Reveal might stop targeting an endpoint because it no longer needs the endpoint for a particular workload. Consider whether Reveal should still target the endpoint: If it is expected or intentional that Reveal no longer targets the endpoint, you can optionally uninstall Reveal tools and dependencies: see Remove Reveal tools from endpoints. If Reveal should still target the endpoint, make sure that the Reveal action group includes the endpoint, and make sure Reveal targets the endpoint in any expected configurations or profiles. Then, either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest.
   Installation Blocker:Unmet Dependencies: [Tool name]	If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column.
   Failing Dependency:[Tool name]	Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name] Investigate further errors with the tool. If the dependency has not been installed on an endpoint, ask the question: Get Endpoint Configuration - Tools Retry Status from all machines with Computer Name equals Computer_Name to review the retry status for the tool installation. For more information, see Endpoint Configuration User Guide: Review tool installations that are scheduled for a retry.
   Manually Blocked:blocked	The tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint.

4. Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.

For additional help, collect all logs for Tanium Reveal, and contact Tanium Support.

Review the Extensions log for an endpoint

Use Client Management to directly connect to an endpoint and view and download extension logs.

1. From the Main menu, go to Administration > Shared Services > Client Management.

2. From the Client Management menu, click Client Health.

3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

   Matching results are displayed after the search completes.

4. From the search results, click the computer name to connect to the endpoint.

5. Click the Logs tab, and select an extensions[#].log file.

6. (Optional) To download the log, click Download.

For additional help, collect all logs for Tanium Reveal, and contact Tanium Support.

Configure client disk space use

You can use two configurable client settings for disk space use:

CX.core.DiskSpaceWarningPercent

CX.core.DiskSpaceCriticalPercent

Use these client settings to surface warnings about the amount of disk space left on the disk that the Tanium Client is installed on. By default, these settings are 5% and 1% respectively. CX-core checks the available disk space on the endpoint once every five minutes.

When the DiskSpaceCriticalPercent threshold is reached, IndexCX pauses indexing until the free disk space is increased above the critical threshold. Endpoints that have reached either the Warning or Critical thresholds will display a health check in the Client Extensions – Status sensor. Use the following question to list all endpoints with a disk space health check:

Get Computer Name and Client Extensions - Status contains disk space from all machines with Client Extensions - Status contains disk space

Modifying client disk space thresholds

The free disk space thresholds can be set via the command line or using a Tanium Action. For more information on modifying client settings, see Tanium Client Management User Guide: Managing client settings and Index configurations.

Command line example:

Set the warning threshold to 10 percent and the critical threshold to 5 percent:

./TaniumClient config set CX.core.DiskSpaceWarningPercent 10

./TaniumClient config set CX.core.DiskSpaceCriticalPercent 5

Tanium action example:

Windows	Non-Windows
Package: Modify Tanium Client Setting	Package: Modify Tanium Client Setting [Non-Windows]
RegType: REG_DWORD	Type: Numeric
ValueName: CX.core.DiskSpaceWarningPercent	ValueName: CX.core.DiskSpaceWarningPercent
ValueData: 10	ValueData: 10

You can check non-default disk space settings with the question:

Get Tanium Client Explicit Setting[CX.core.DiskSpaceWarningPercent] and Tanium Client Explicit Setting[CX.core.DiskSpaceCriticalPercent] from all machines

A result of “Key/Value not found” indicates that the setting is the default value (5% for Disk Space Warning and 1% for Disk Space Critical).

Remove Reveal tools from endpoints

You can deploy an action to remove Reveal tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
   Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
2. In the results, select the row for Reveal, drill down as necessary, and select the targets from which you want to remove Reveal tools. For more information, see Tanium Interact User Guide: Drill Down.
   
3. Click Deploy Action.
4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.

5. For Tool Name, select Reveal.

6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

   If reinstallation is blocked, you must unblock it manually:

   • To allow Reveal to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

   • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

7. (Optional) To remove all Reveal databases and logs from the endpoints, clear the selection for Soft uninstall.

   When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

8. (Optional) To also remove any tools that were dependencies of the Reveal tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

   If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

10. Click Show preview to continue.

11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Reveal

You might need to remove Reveal from the Tanium Module Server for troubleshooting purposes.

1. From the Main menu, go to Administration > Configuration > Solutions. Under Reveal, click Uninstall. Click Proceed with Uninstall to complete the process.

2. Enter your password to start the uninstall process.

   A progress bar displays as the installation package is removed.

3. Click Close.
4. If the Reveal module has not updated in the console, refresh your browser.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.