Troubleshooting Reveal

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Remediating "Needs Attention" messages from Reveal Status

Use the Reveal - Status sensor to query the status of Reveal on endpoints in an environment. From Tanium Interact, ask the question Get Reveal - Status[*] from all machines. The results grid provides detailed information regarding the status of Reveal, and tools that Reveal uses to discover sensitive data.

If the value of Reveal Status in the results grid displays as Needs Attention there are troubleshooting steps you can take to determine the cause, and to correct any issues that Reveal encounters. The following table describes situations that cause the value of the Reveal Status row in the results grid to display Needs Attention and corresponding corrective measures to take to resolve.

Possible reason Steps for remediation
Files have been dropped from the Reveal database It is possible that the maximum size allowed for the Reveal database has been exceeded, and as a result, files have been dropped. The <Tanium Client>/Tools/Reveal/results/drop_latest.json file contains detailed information. If this is the cause, you can increase the Maximum Database Size setting. See Endpoint configuration settings for more information.
A previous Reveal indexing pass might have ended with a failure The <Tanium Client>/Tools/Reveal/results/status.failed.json file contains detailed information that is useful for troubleshooting. Additionally, the <Tanium Client>/Tools/Reveal/log/reveal.index.log and <Tanium Client>/Tools/Reveal/log/reveal.log contain useful information. For more information, see Contact Tanium Support.
There is no data from a previous Reveal indexing pass It is possible that Reveal has not yet run on the endpoint. The Reveal Status value displays as OK when Reveal runs on the endpoint and results have been returned.

The latest data is stale

If there are Reveal results available, but they have not been updated in two hours, it indicates the Reveal process is not running even though it is installed. Verify that the endpoint is receiving the Deploy Start Indexing action. The Reveal Status value displays as OK when Reveal runs on the endpoint and results have been returned.

If you are unable to remediate a Reveal Status of Needs Attention, contact your TAM.

Monitor and troubleshoot Reveal coverage

The following table lists contributing factors into why the Reveal coverage metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Tools Not Deployed

Verify Tanium Clients are current and supported. For more information see Requirements: Tanium dependencies.

Ensure the Reveal Action Group is set to All Computers.

Ensure the Trends Action Group is set to All Computers.

Ensure the intended Reveal targets are in the appropriate Computer Groups.

Ensure the Computer Groups are included in the appropriate Rule Set in Reveal.

Index Health and Configuration

Ensure Index is properly configured and operating as expected on the endpoints. You may need to work with your TAM for further assistance.

Ensure you are not excluding the files you want Reveal to scan from indexing or hashing. This could be by an ExcludeFrom(Hashing|Indexing) setting or if the file exceeds the setting of MaxFileSizeToHashMB, 32MB by default.

Use the Index Resolved Config sensor to see how Index combined any Index configuration files from all modules using Index.

Monitor and troubleshoot endpoints with confirmed sensitive data

The following table lists contributing factors into why the endpoints with confirmed sensitive data metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
See “Tools Not Deployed” and “Index Health and Configuration” above.

See the Corrective Actions for “Tools Not Deployed” and “Index Health and Configuration” in the preceding table.

Recently updated rule not on desired endpoint(s) or the rule(s) or Reveal may not yet have had time to be processed.

After deploying a rule, it might take several hours to begin to see results. You might need to allow Reveal a couple more hours. If longer than a few hours has passed, you can ask the Tanium question “Get Reveal - Background Scan Results[*] from all machines”. In the results, look for the name of the rule you are troubleshooting. Use the Filter Text box to filter to just that rule. Select columns to display and add “Rule Revision”. Use Tanium to drill down to find out about any hosts with outdated rule.

Reveal Rules not targeted as desired or required To assign Reveal rules, they must be assigned to a Rule Set and the Rule Set must target the desired computer groups. First, review the specific Rule and make sure it’s assigned to a Rule Set. Next, review the Rule Set and confirm it targets the appropriate Computer Group. Examine the Computer Group and ensure that it properly targets the desired computers.
Reveal findings are not yet confirmed Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a validation - confirmed or rejected - of the rule. All similar snippets on all endpoints then show confirmed results. Rejected snippets no longer display in the results.

Monitor and troubleshoot endpoints with unconfirmed sensitive data

The following table lists contributing factors into why the endpoints with unconfirmed sensitive data metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Reveal not fully deployed or operational

See the corrective actions detailed in the previous two tables to ensure Reveal tools and rules are properly targeted and deployed.

Reveal findings are not yet confirmed

Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a confirmed match of the rule. All similar snippets on all endpoints then show confirmed results.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

  1. From the Reveal Home page, click Help , then the Troubleshooting tab.
  2. Click Create Package. When the status shows that the package is complete, click Download Package.
  3. A reveal-troubleshooting.zip file downloads to the local download directory.
  4. Attach the ZIP file to your Tanium Support case form or send it to your TAM.

Tanium Reveal maintains logging information in the reveal.log and reveal-audit.log files in the <Tanium Module Server>\services\reveal-files\logs directory.

Uninstall Reveal

You might need to remove Reveal from the Tanium Module Server for troubleshooting purposes.

  1. From the Tanium Console, click Solutions.

    The Solutions page opens.

  2. Locate Reveal, and then click Uninstall.

    The Uninstall window opens, showing the list of contents to be removed.

  3. Click Proceed with Uninstall.
  4. Enter your password to start the uninstall process.

    A progress bar displays as the installation package is removed.

  5. Click Close.
  6. To confirm, return to the Solutions page and check that the Import button is available.

    If the Reveal module has not updated in the console, refresh your browser.

Contact Tanium Support

To contact Tanium Support for help, send an email to [email protected].

Last updated: 9/18/2020 1:06 PM | Feedback