To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.
Use the Reveal - Status sensor to query the status of Reveal on endpoints in an environment. From Tanium Interact, ask the question Get Reveal - Status[*] from all machines. The results grid provides detailed information regarding the status of Reveal, and tools that Reveal uses to discover sensitive data.
If the value of Reveal Status in the results grid displays as Needs Attention there are troubleshooting steps you can take to determine the cause, and to correct any issues that Reveal encounters. The following table describes situations that cause the value of the Reveal Status row in the results grid to display Needs Attention and corresponding corrective measures to take to resolve.
|Possible reason||Steps for remediation|
|Files have been dropped from the Reveal database||It is possible that the maximum size allowed for the Reveal database has been exceeded, and as a result, files have been dropped. The <Tanium Client>/Tools/Reveal/results/drop_latest.json file contains detailed information. If this is the cause, you can increase the Maximum Database Size setting. See Endpoint configuration settings for more information.|
|A previous Reveal indexing pass might have ended with a failure||The <Tanium Client>/Tools/Reveal/results/status.failed.json file contains detailed information that is useful for troubleshooting. Additionally, <Tanium Client>/Logs/extensions0.txt contains useful information. For more information, see Contact Tanium Support.|
|There is no data from a previous Reveal indexing pass||It is possible that Reveal has not yet run on the endpoint. The Reveal Status value displays as OK when Reveal runs on the endpoint and results have been returned.|
The latest data is stale
If there are Reveal results available, but they have not been updated in two hours, it indicates the Reveal process is not running even though it is installed. Verify that the endpoint is receiving the Deploy Start Indexing action. The Reveal Status value displays as OK when Reveal runs on the endpoint and results have been returned.
If you are unable to remediate a Reveal Status of Needs Attention, see Contact Tanium Support.
The following table lists contributing factors into why the Reveal coverage metric might be lower than expected, and corrective actions you can make.
|Contributing factor||Corrective action|
|Tools Not Deployed||
Verify Tanium Clients are current and supported. For more information see Requirements: Tanium dependencies.
Ensure the Reveal Action Group is set to All Computers.
Ensure the Trends Action Group is set to All Computers.
Ensure the intended Reveal targets are in the appropriate Computer Groups.
Ensure the Computer Groups are included in the appropriate Rule Set in Reveal.
|Index Health and Configuration||
Ensure Index is properly configured and operating as expected on the endpoints.
Ensure you are not excluding the files you want Reveal to scan from indexing or hashing. This could be by an ExcludeFrom(Hashing|Indexing) setting or if the file exceeds the setting of MaxFileSizeToHashMB, 32MB by default.
Use the Index Resolved Config sensor to see how Index combined any Index configuration files from all modules using Index.
The following table lists contributing factors into why the endpoints with confirmed sensitive data metric might be higher than expected, and corrective actions you can make.
|Contributing factor||Corrective action|
|See “Tools Not Deployed” and “Index Health and Configuration” above.||
See the Corrective Actions for “Tools Not Deployed” and “Index Health and Configuration” in the preceding table.
|Recently updated rule not on desired endpoint(s) or the rule(s) or Reveal may not yet have had time to be processed.||
After deploying a rule, it might take several hours to begin to see results. You might need to allow Reveal a couple more hours. If longer than a few hours has passed, you can ask the Tanium question “Get Reveal - Background Scan Results[*] from all machines”. In the results, look for the name of the rule you are troubleshooting. Use the Filter Text box to filter to just that rule. Select columns to display and add “Rule Revision”. Use Tanium to drill down to find out about any hosts with outdated rule.
|Reveal Rules not targeted as desired or required||To assign Reveal rules, they must be assigned to a Rule Set and the Rule Set must target the desired computer groups. First, review the specific Rule and make sure it’s assigned to a Rule Set. Next, review the Rule Set and confirm it targets the appropriate Computer Group. Examine the Computer Group and ensure that it properly targets the desired computers.|
|Reveal findings are not yet confirmed||Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a validation - confirmed or rejected - of the rule. All similar snippets on all endpoints then show confirmed results. Rejected snippets no longer display in the results.|
The following table lists contributing factors into why the endpoints with unconfirmed sensitive data metric might be higher than expected, and corrective actions you can make.
|Contributing factor||Corrective action|
|Reveal not fully deployed or operational||
See the corrective actions detailed in the previous two tables to ensure Reveal tools and rules are properly targeted and deployed.
|Reveal findings are not yet confirmed||
Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a confirmed match of the rule. All similar snippets on all endpoints then show confirmed results.
The information is saved as a ZIP file that you can download with your browser.
- From the Reveal Overview page, click Help , then the Troubleshooting tab.
- Click Create Package. When the status shows that the package is complete, click Download Package.
- A reveal-troubleshooting.zip file downloads to the local download directory.
- Attach the ZIP file to your Tanium Support case form or Contact Tanium Support.
Tanium Reveal maintains logging information in the reveal.log and reveal-audit.log files in the <Module Server>\services\reveal-files\logs directory.
You can deploy an action to remove Reveal tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.
- In Interact, target the computers from which you want to remove the tools. For example, ask a question that targets a specific operating system:
Get Endpoint Configuration - Tools Status from all machines with Is <OS> equals True , for example:
Get Endpoint Configuration - Tools Status from all machines with Is Windows equals True
- In the results, select the row for Reveal, drill down as necessary, and select the targets from which you want to remove Reveal tools. For more information, see Tanium Interact User Guide: Managing question results.
- Click Deploy Action.
- On the Deploy Action page, enter Endpoint Configuration - Uninstall in the Enter package name here box, and select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
For Tool Name, select Reveal.
(Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.
If reinstallation is blocked on an endpoint, you must deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints) before the tools can be reinstalled.
(Optional) To remove all Reveal databases and logs from the endpoints, clear the selection for Soft uninstall.
(Optional) To also remove any tools that were dependencies of the Reveal tools that are not dependencies for tools from other modules, select Remove unreferenced dependencies.
- Click Show preview to continue.
A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.
If you have enabled Endpoint Configuration, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.
You might need to remove Reveal from the Tanium Module Server for troubleshooting purposes.
From the Main menu, go to Administration > Configuration > Solutions. Under Reveal, click Uninstall. Click Proceed with Uninstall to complete the process.
- Enter your password to start the uninstall process.
A progress bar displays as the installation package is removed.
- Click Close.
If the Reveal module has not updated in the console, refresh your browser.
To contact Tanium Support for help, sign into https://support.tanium.com.
Last updated: 3/4/2021 8:49 AM | Feedback