Troubleshooting Reveal

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

  1. From the Reveal Overview page, click Help , then the Troubleshooting tab.
  2. Click Create Package. When the status shows that the package is complete, click Download Package.
  3. A reveal-troubleshooting.zip file downloads to the local download directory.
  4. Attach the ZIP file to your Tanium Support case form or Contact Tanium Support.

Tanium Reveal maintains logging information in the reveal.log and reveal-audit.log files in the <Module Server>\services\reveal-files\logs directory.

Remediating "Needs Attention" messages from Reveal Status

Use the Reveal - Status sensor to query the status of Reveal on endpoints in an environment. From Tanium Interact, ask the question Get Reveal - Status[*] from all machines. The results grid provides detailed information regarding the status of Reveal, and tools that Reveal uses to discover sensitive data.

If the value of Reveal Status in the results grid displays as Needs Attention there are troubleshooting steps you can take to determine the cause, and to correct any issues that Reveal encounters. The following table describes situations that cause the value of the Reveal Status row in the results grid to display Needs Attention and corresponding corrective measures to take to resolve.

Possible reason Steps for remediation
Files have been dropped from the Reveal database It is possible that the maximum size allowed for the Reveal database has been exceeded, and as a result, files have been dropped. The <Tanium Client>/Tools/Reveal/results/drop_latest.json file contains detailed information. If this is the cause, you can increase the Maximum Database Size setting. To change this setting from the default value, create and deploy a custom profile. For more information, see Creating profiles.
A previous Reveal indexing pass might have ended with a failure The <Tanium Client>/Tools/Reveal/results/status.failed.json file contains detailed information that is useful for troubleshooting. Additionally, <Tanium Client>/Logs/extensions0.txt contains useful information. For more information, see Contact Tanium Support.
There is no data from a previous Reveal indexing pass It is possible that Reveal has not yet run on the endpoint. The Reveal Status value displays as OK when Reveal runs on the endpoint and results have been returned.

If you are unable to remediate a Reveal Status of Needs Attention, see Contact Tanium Support.

Monitor and troubleshoot Reveal coverage

The following table lists contributing factors into why the Reveal coverage metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Tools Not Deployed

Verify Tanium Clients are current and supported. For more information see Requirements: Tanium dependencies.

Ensure the Reveal Action Group is set to All Computers.

Ensure the Trends Action Group is set to All Computers.

Ensure the intended Reveal targets are in the appropriate Computer Groups.

Ensure the Computer Groups are included in the appropriate Rule Set in Reveal.

Index Health and Configuration

Ensure Index is properly configured and operating as expected on the endpoints.

Ensure you are not excluding the files you want Reveal to scan from indexing or hashing. This could be by an ExcludeFrom(Hashing|Indexing) setting or if the file exceeds the setting of MaxFileSizeToHashMB, 32MB by default.

Use the Index Resolved Config sensor to see how Index combined any Index configuration files from all modules using Index.

Monitor and troubleshoot endpoints with confirmed sensitive data

The following table lists contributing factors into why the endpoints with confirmed sensitive data metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
See “Tools Not Deployed” and “Index Health and Configuration” above.

See the Corrective Actions for “Tools Not Deployed” and “Index Health and Configuration” in the preceding table.

Recently updated rule not on desired endpoint(s) or the rule(s) or Reveal may not yet have had time to be processed.

After deploying a rule, it might take several hours to begin to see results. You might need to allow Reveal a couple more hours. If longer than a few hours has passed, you can ask the Tanium question “Get Reveal - Background Scan Results[*] from all machines”. In the results, look for the name of the rule you are troubleshooting. Use the Filter Text box to filter to just that rule. Select columns to display and add “Rule Revision”. Use Tanium to drill down to find out about any hosts with outdated rule.

Reveal Rules not targeted as desired or required To assign Reveal rules, they must be assigned to a Rule Set and the Rule Set must target the desired computer groups. First, review the specific Rule and make sure it’s assigned to a Rule Set. Next, review the Rule Set and confirm it targets the appropriate Computer Group. Examine the Computer Group and ensure that it properly targets the desired computers.
Reveal findings are not yet confirmed Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a validation - confirmed or rejected - of the rule. All similar snippets on all endpoints then show confirmed results. Rejected snippets no longer display in the results.

Monitor and troubleshoot endpoints with unconfirmed sensitive data

The following table lists contributing factors into why the endpoints with unconfirmed sensitive data metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Reveal not fully deployed or operational

See the corrective actions detailed in the previous two tables to ensure Reveal tools and rules are properly targeted and deployed.

Reveal findings are not yet confirmed

Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a confirmed match of the rule. All similar snippets on all endpoints then show confirmed results.

Identify and resolve issues with client extensions

Use the following steps to troubleshoot issues with the client extensions that Reveal installs and uses. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.

To review the client extensions that Reveal installs and uses, see Client extensions.

  1. To review the health of client extensions or to start an investigation into an existing error, ask a question using the Client Extensions - Status or Reveal - Tools Version sensor.

    The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Filter the results and drill down as necessary to investigate results that indicate errors.

    Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.

  2. Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Remove Reveal tools from endpoints and Endpoint Configuration User Guide: Uninstall a tool installed by Endpoint Configuration.

    When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

    Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.

  3. Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:

    Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Reveal from all machines with Endpoint Configuration - Tools Status:Tool Name contains Reveal

    Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:

    Error ConditionPossible Resolution
    No error appears, but an available new version has not been installed

    Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the Endpoint Configuration manifest has not updated on the endpoint, usually for one of the following reasons:

    Installation Blocker:Unmet Dependencies: [Tool name]If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column.
    Failing Dependency:[Tool name]

    Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name]

    Investigate further errors with the tool.

    Manually Blocked:blockedThe tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint.
  4. Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.

For additional help, collect all logs for Tanium Reveal, and contact Tanium Support.

Review the Extensions log for an endpoint

Use Client Management to directly connect to an endpoint and view and download extension logs.

  1. From the Main menu, go to Administration > Shared Services > Client Management.

  2. From the Client Management menu, click Client Health.

  3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

    Matching results are displayed after the search completes.

  4. From the search results, click the computer name to connect to the endpoint.
  5. Click the Logs tab, and select an extensions[#].log file.

  6. (Optional) To download the log, click Download.

For additional help, collect all logs for Tanium Reveal, and contact Tanium Support.

Remove Reveal tools from endpoints

You can deploy an action to remove Reveal tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
  2. In the results, select the row for Reveal, drill down as necessary, and select the targets from which you want to remove Reveal tools. For more information, see Tanium Interact User Guide: Drill Down.
  3. Click Deploy Action.
  4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Reveal.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Reveal to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  7. (Optional) To remove all Reveal databases and logs from the endpoints, clear the selection for Soft uninstall.

    When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

  8. (Optional) To also remove any tools that were dependencies of the Reveal tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

  9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

    If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

  10. Click Show preview to continue.
  11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Reveal

You might need to remove Reveal from the Tanium Module Server for troubleshooting purposes.

  1. From the Main menu, go to Administration > Configuration > Solutions. Under Reveal, click Uninstall. Click Proceed with Uninstall to complete the process.

  2. Enter your password to start the uninstall process.

    A progress bar displays as the installation package is removed.

  3. Click Close.
  4. If the Reveal module has not updated in the console, refresh your browser.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.