Reference: Common health check issues

Review common Threat Response health check issues and possible solutions. For information about general issues in Threat Response, see Troubleshooting.

Fatal error loading subscriptions: auditd raw logging is enabled. Not loading rules.

Cause

This health check appears when auditd.conf is configured to log messages.

Solution

Consider using RAW logging only in instances where disabling would cause a data point of interest to be dropped. For example, use RAW logging if an endpoint has excess resources to handle the CPU and IO load, and an application such as Splunk is analyzing data. To disable RAW logging, deploy the Recorder - Disable Raw Logging [Linux] package. The package edits the auditd.conf file with the appropriate setting to disable raw logging for the version of auditd on the endpoint. Deploy the Recorder - Auditd [Linux] package to restart auditd after disabled raw logging.

Scan completion took longer than configured scan interval. Maybe under spec or subscription misconfigured?

Cause

This health check appears when an Index scan exceeds the configured scan interval.

Solution

Ensure that all endpoints meet the system requirements for the Client Index Extension and that the subscription is configured properly. To change the scan interval, go to Threat Response Settings > Service > Misc.

Subscription has dropped events: <subscription name>

Cause

This health check appears when the number of pending journal files has reached or exceeded the maximum number of pending files. A single dropped event causes this health check to display; however, no count of dropped events is provided.

Solution

No action is required with the recorder to address this error. Ensure that systems meet the minimum requirements. Action to mitigate this health check might be required on the consumer end if, for example, a Signal returns many matches that result in alerts.

System minimum requirements not met to enable features: Single CPU detected. Not loading rules.

Cause

This health check appears when an endpoint with a single CPU is detected.

Solution

The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. Alternatively, you can run the following command from the Tanium Client directory on endpoints to update this configuration setting:

(Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0

(Linux and macOS) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0

All configured audit rules did not load. Check rules for correctness. Recorder may not be seeing all events.

Cause

This health check appears when there is a problem with the existing ruleset. Auditd is encountering an invalid rule and is aborting rule loading. Recorder determines this by returning a nonzero exit code for auditctl -R /etc/audit/audit.rules.

Solution

Ensure that no rules are invalid in /etc/audit/rules.d/audit.rules.

TaniumAuditPipe not running.

Cause

This health check appears when the TaniumAuditPipe is installed, but not currently running. This health check commonly occurs. when running SELinux with a policy that was incorrectly applied.

Solution

Ensure that the directories for Tanium client and above are not symlinks. Ensure that all policies for SELinux have been installed correctly. Review the var/log messages and ensure the pipe is starting.

Failed to configure Tanium Driver provider. Check extensions log. Recorder may not be seeing all events.

Cause

This health check appears when a connection to the Tanium Driver cannot be established.

Solution

Use the Tanium Driver Status and Tanium Driver Version sensors to ensure that the Tanium Driver is installed properly and running. Look for error messages in these sensors. You can use Tanium Endpoint Configuration to reinstall the Tanium Driver and/or Tanium Recorder.

Fatal error loading subscriptions: waiting for TaniumAuditPipe to be available. Not getting events.

Cause

This health check appears when audispd is not running, or if it is crashing. The audit pipe is a child process of audispd.

Solution

Ensure that the directories for the Tanium client and above are not symlinks. Ensure that all policies for SELinux have been installed correctly. Review the var/log messages and ensure the pipe is starting.

Profile and/or Intel not fully resolved.

Cause

This health check displays when profiles or intel are not up to date or are incomplete on endpoints.

Solution

Ensure that intel and profiles are deployed to endpoints and that all endpoints meet the minimum requirements. Use the Client Extensions – Status sensor to verify that the profile and intel versions are the expected versions.