Troubleshooting Reveal

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Remediating "Needs Attention" messages from Reveal Status

Use the Reveal - Status sensor to query the status of Reveal on endpoints in an environment. From Tanium Interact, ask the question Get Reveal - Status[*] from all machines. The results grid provides detailed information regarding the status of Reveal, and tools that Reveal uses to discover sensitive data.

If the value of Reveal Status in the results grid displays as Needs Attention there are troubleshooting steps you can take to determine the cause, and to correct any issues that Reveal encounters. The following table describes situations that cause the value of the Reveal Status row in the results grid to display Needs Attention and corresponding corrective measures to take to resolve.

Possible reason Steps for remediation
Files have been dropped from the Reveal database It is possible that the maximum size allowed for the Reveal database has been exceeded, and as a result, files have been dropped. The <Tanium Client>/Tools/Reveal/results/drop_latest.json file contains detailed information. If this is the cause, you can increase the Maximum Database Size setting. See Endpoint configuration settings for more information.
A previous Reveal indexing pass might have ended with a failure The <Tanium Client>/Tools/Reveal/results/status.failed.json file contains detailed information that is useful for troubleshooting. Additionally, the <Tanium Client>/Tools/Reveal/log/reveal.index.log and <Tanium Client>/Tools/Reveal/log/reveal.log contain useful information. You can provide these files to your TAM for help determining the need for attention.
There is no data from a previous Reveal indexing pass It is possible that Reveal has not yet run on the endpoint. The Reveal Status value displays as OK when Reveal runs on the endpoint and results have been returned.

The latest data is stale

If there are Reveal results available, but they have not been updated in two hours, it indicates the Reveal process is not running even though it is installed. Verify that the endpoint is receiving the Deploy Start Indexing action. The Reveal Status value displays as OK when Reveal runs on the endpoint and results have been returned.

If you are unable to remediate a Reveal Status of Needs Attention, contact your TAM.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

  1. From the Reveal Home page, click Help , then the Troubleshooting tab.
  2. Click Create Package. When the status shows that the package is complete, click Download Package.
  3. A reveal-troubleshooting.zip file downloads to the local download directory.
  4. Attach the ZIP file to your Tanium Support case form or send it to your TAM.

Tanium Reveal maintains logging information in the reveal.log and reveal-audit.log files in the <Tanium Module Server>\services\reveal-files\logs directory.

Uninstall Reveal

You might need to remove Reveal from the Tanium Module Server for troubleshooting purposes.

  1. From the Tanium Console, click Solutions.

    The Solutions page opens.

  2. Locate Reveal, and then click Uninstall.

    The Uninstall window opens, showing the list of contents to be removed.

  3. Click Proceed with Uninstall.
  4. Enter your password to start the uninstall process.

    A progress bar displays as the installation package is removed.

  5. Click Close.
  6. To confirm, return to the Solutions page and check that the Import button is available.

    If the Reveal module has not updated in the console, refresh your browser.

Last updated: 3/31/2020 2:22 PM | Feedback