This section identifies resources that you can use when troubleshooting issues with the Tanium Client and with Client Management. Show
Basic tips
Review the Tanium Client installation log to troubleshoot installation on WindowsIf you encounter issues with your installation on Windows endpoints, examine Install.log in the Tanium Client installation directory to identify actions that failed during the installation. The Tanium Client installer generates this log file to record a chronology of the actions that the installer performed. Each time the installer runs (that is, for each installation and upgrade), it appends the actions for that execution to the end of the existing log file. Troubleshoot issues with connection and registrationIf the Tanium Client fails to connect or register with Tanium Cloud the Tanium Server or Zone Server, does not establish the expected peer connections, or fails to respond to questions, review the Tanium Client logs, and check the following items. Check the client status
Verify that the Tanium Client service and process are running on an endpointCheck the status of the Tanium Client service and, if necessary, restart it:
Additionally you can use the following commands to verify that the Tanium Client process is running:
If the Tanium Client service, process, or installation directory does not exist, reinstall the Tanium Client. For more information, see Deploying the Tanium Client using Client Management and Deploying the Tanium Client using an installer or package file. Verify port accessibility and security exclusionsMake sure that communication on port 17472 (or the otherwise configured custom port) is allowed by any firewalls and other security applications. Make sure that security exclusions are in place for Tanium Client directories and processes. For more information, see Security exclusions for Tanium Client. Verify serverTanium Cloud connection settingsFor serverTanium Cloud connection issues, use the following commands to review and verify the server connection settings for the client.
If any settings are incorrect, or for more information about server Tanium Cloudconnections, see Configuring connections to the Tanium Core Platform. For peer connection issues, see Configuring Tanium Client peering. Test DNS resolutionIf you use fully qualified domain names for the Tanium Servers and Zone Servers that are specified for ServerNameList, use the following command to test the DNS resolution for each server name: Use the following command to test the DNS resolution for each Tanium Cloud Client Edge URL that is specified for ServerNameList: nslookup <server_FQDN><Tanium Cloud_Client_Edge_URL> If the command does not return one or more IP addresses for the server name Tanium Cloud Client Edge URL, there is likely an issue with DNS resolution. Work with your network administrator to resolve the issue. Test network connectivity and port accessibility
To verify that the endpoint can communicate with port 17472 on a Tanium Cloud Client Edge URL, use one of the following commands:
If the connection fails, work with you network administrator to make sure that your Tanium Cloud Client Edge URLs are reachable from your network, and that connections to those URLs and communication on port 17472 are allowed by any firewalls and other security applications. Collect troubleshooting information from endpointsYou can use Client Management to directly connect to an endpoint and collect a bundle of logs and other artifacts.
For more information about connecting directly to endpoints, see Tanium Direct Connect User Guide. For more information about using client health features in Client Management, see Monitor the client health overview in Client Management and Access detailed client health and troubleshooting information on an endpoint. Access individual endpoint logs in Client ManagementYou can use Client Management to directly connect to an endpoint and view and download individual logs.
Review Tanium Client logs to troubleshoot connections and other client issuesReview Tanium Client logs to help you troubleshoot client issues. For example, a client might not answer questions or appear in the Tanium Console (Administration > Configuration > Client Status) because that client cannot connect to the Tanium Cloud the Tanium Server or Zone Server. In this case, you can review the client logs to determine whether the connection failed due to an invalid Client Edge URLserver IP address, DNS resolution failure, missing Tanium public key file, or firewall rule. The Tanium Client writes new client logs to the file log0.txt. The default maximum log file size is 10 MB. When log0.txt reaches the maximum size, the client renames it log1.txt and then creates a new log0.txt. When log0.txt again reaches the maximum, the client renames log1.txt as log2.txt, again renames log0.txt as log1.txt, and again creates a new log0.txt. The process of rolling logs whenever log0.txt reaches the maximum size continues until 10 logs exist: log0.txt to log9.txt. When log0.txt reaches the maximum size again after that, the client compresses log9.txt as a file named log10.zip. When log0.txt again reaches 10 MB, the client renames log10.zip as log11.zip and again compresses log9.txt as a file named log10.zip. The ZIP file rollover process continues until 10 ZIP files exist, log10.zip to log19.zip. When log0.txt reaches 10 MB again after that, the client creates a new log10.zip without renaming log19.zip as a new file, effectively dropping the old log19.zip information upon renaming log18.zip as the new log19.zip. The logging level is configurable (see LogVerbosityLevel1). The location for log files is also configurable (see LogPath). The default is <Tanium Client installation directory>/Logs. You can use Client Management to directly connect to an endpoint and retrieve client logs. For more information, see Access individual endpoint logs in Client Management. Network Configuration errors reported in the logThe error message Network Config Timed Out or Failed to download netconfig at startup commonly appears when a Tanium Client fails to connect or register with Tanium Cloud the Tanium Server or Zone Server. To troubleshoot this error message, see Troubleshoot issues with connection and registration. Cache-related errors reported in the logCache-related errors that are reported in a client log are often caused by low disk space on the endpoint. Make sure the endpoint has enough available space on the disk or partition where the client is installed. For disk space requirements, see Hardware requirements. On a Linux endpoint, you can move the Tanium Client if the partition where it is installed does not have enough free space. For more information, see Move an existing installation of the Tanium Client on Linux. Review action logs and associated files to troubleshoot actions and packagesWhen a package does not seem to work after you deploy it through an action, review action logs and the files associated with the action to help troubleshoot. Each time the Tanium Client receives an action message with an instruction set to execute, the client creates an action log file named Action_<ID>.log, where <ID> is the action identifier. The action log contains the CLI output associated with the action command. The Tanium Client stores any files that are required to deploy an action package in Action_ID directories. Both action logs and Action_<ID> directories are in the <Tanium Client installation directory>/Downloads directory. The Tanium Client removes action logs from its host after a configurable interval (see Action log and package cleanup). Action_<ID> directoriesEach Action_<ID> directory contains all the files that are required to deploy an action package. For example, if you deploy a package that has five files, the Tanium Client places each file in the Action_<ID> directory after it finishes downloading. After all five files download, the action status changes from Preparing Files to Running on the Action Status page. Even if a deployed package has no associated package files, the Tanium Client creates an empty Action_<ID> directory for it. The Tanium Client removes Action_<ID> directories from its host after a configurable interval (see Action log and package cleanup). Access action logs in Client ManagementYou can use Client Management to directly connect to an endpoint and view and download individual logs.
Action log contentsAction logs record each phase of an action:
Completion does not indicate success. For example, an action to execute a command might complete even if the command itself fails. For example, the command line for the package might not match the name of the distributed file or the command might fail to distribute a file. Managed endpoints show that the action completed, even though nothing occurred. Optionally, consider adding a validation query to the package to have the action status indicate success or failure. Action log and package cleanupThe Tanium Client checks hourly, or immediately upon resetting (every two to six hours), whether any Action_<ID>.log files are over seven days old and deletes them if they are. The Tanium Client also checks hourly, or immediately upon resetting, whether any corresponding Action_<ID> directories have expired, and deletes them if they have. This process ensures that the endpoint does not consume more disk space than necessary for Tanium actions. Contact Tanium Support if you want to preserve action logs or action directories for a longer time. Review action history logs to troubleshoot or audit actionsWhen you troubleshoot or audit actions on managed endpoints, review the action history logs to see which actions ran, their start and run times, and associated commands. Although the Action logs record more details, the Tanium Client preserves action history logs for a longer period (their individual log files are smaller) and therefore they provide a longer chronology of actions. The Tanium Client archives the first 10 MB of action history logs as plain-text files. After reaching the 10 MB threshold, the client archives the oldest logs as ZIP files before adding new logs as plain-text files. The log rollover process is as follows: Plain text logs files The Tanium Client creates a new action-history0.txt file whenever an action runs. When that file reaches 1 MB in size, the client renames action-history0.txt as action-history1.txt and creates a new action-history0.txt. When action-history0.txt again reaches 1 MB, the client renames action-history1.txt as action-history2.txt, again renames action-history0.txt as action-history1.txt, and again creates a new action-history0.txt. The process of rolling logs whenever action-history0.txt reaches 1 MB continues until 10 logs exist: action-history0.txt to action-history9.txt. ZIP log files After recording 10 MB of plain-text action history logs, the Tanium Client compresses action-history9.txt as a file named action-history10.zip. When action-history0.txt again reaches 1 MB, the client renames action-history10.zip as action-history11.zip and again compresses action-history9.txt as a file named action-history10.zip. The ZIP file rollover process continues until 10 ZIP files exist, action-history10.zip to action-history19.zip. When action-history10.zip reaches 1 MB again after that, the client creates a new action-history10.zip without renaming action-history19.zip as a new file, effectively dropping the old action-history19.zip information upon renaming action-history18.zip as the new action-history19.zip. The Tanium Client stores action history logs in the <Tanium Client installation directory>/Logs directory. You can use Client Management to directly connect to an endpoint and retrieve action history logs. For more information, see Access individual endpoint logs in Client Management. Review sensor history logs to troubleshoot or audit sensor activityWhen you troubleshoot or audit sensor activity on managed endpoints, review the sensor history logs to see the following information about each sensor that ran:
The Tanium Client archives the first 10 MB of sensor history logs as plain-text files. After reaching the 10 MB threshold, the client archives the oldest logs as ZIP files before adding new logs as plain-text files. The log rollover process is as follows: Plain text logs files The Tanium Client creates a new sensor-history0.txt file each time a sensor runs. When that file reaches 1 MB in size, the client renames sensor-history0.txt as sensor-history1.txt, and creates a new sensor-history0.txt. When sensor-history0.txt again reaches 1 MB, the client renames sensor-history1.txt as sensor-history2.txt, again renames sensor-history0.txt as sensor-history1.txt, and again creates a new sensor-history0.txt. The process to roll the logs whenever sensor-history0.txt reaches 1 MB continues until 10 logs exist: sensor-history0.txt to sensor-history9.txt. ZIP log files After recording 10 MB of plain-text sensor history logs, the Tanium Client compresses sensor-history9.txt as a file named sensor-history10.zip. When sensor-history0.txt again reaches 1 MB, the client renames sensor-history10.zip as sensor-history11.zip and again compresses sensor-history9.txt as a file named sensor-history10.zip. The ZIP file rollover process continues until 10 ZIP files exist, sensor-history10.zip to sensor-history19.zip. When sensor-history10.zip reaches 1 MB again after that, the client creates a new sensor-history10.zip without renaming sensor-history19.zip as a new file, effectively dropping the old sensor-history19.zip information upon renaming sensor-history18.zip as the new sensor-history19.zip. The Tanium Client stores sensor history logs in the <Tanium Client installation directory>/Logs directory. You can use Client Management to directly connect to an endpoint and retrieve sensor history logs. For more information, see Access individual endpoint logs in Client Management. Review or reset the public key to troubleshoot connection issues (Tanium Client 7.4 only)You can review or reset the public key to help resolve connection issues that are related to an invalid key. (Salesforce deployments only) The Registration Error column on the Client Status page indicates specific issues with keys. For more information, see View the status of Tanium Client registration and communication.
Review and manage sensor quarantines to troubleshoot sensorsEnforcing sensor quarantines prevents sensors from running on an endpoint for the current question or action if those sensors exceeded the runtime timeout during a previous question or action. Quarantines are useful for limiting the impact on endpoint resources, such as CPU utilization, when questions and actions use excessively long-running sensors. The non-configurable timeout is set to one minute. By default, quarantines are not enforced: after a sensor exceeds the timeout and stops running, the sensor has quarantined status but still runs for future questions or actions until it completes or times out. In this case, the Tanium Client uses the quarantined status just to record that the sensor timed out. Regardless of whether you enable enforcement, the Tanium Client stops any sensor at the moment it exceeds the timeout. Each client quarantines sensors and enforces the quarantines independently. Consequently, a sensor might be quarantined on some endpoints and not on others. When a Tanium Client quarantines a sensor, the Tanium Console displays the following message in the Question Results grid: TSE-Error: Sensor evaluation timed out. When you issue a question that uses a sensor that is already quarantined and enforcement is enabled, the Question Results grid displays TSE-Error: The sensor is quarantined. The Tanium Client adds entries to the client logs and sensor history logs when it quarantines a sensor or prevents an already quarantined sensor from running. If temporary sensors exceed the one-minute timeout, the Tanium Client quarantines the original sensor as well as all current and future temporary sensors that are based on the original sensor. When enforcement is enabled, quarantined sensors do not run when you use them for targeting endpoints, even if the sensors are members of computer groups. However, quarantined sensors might skew the targeting of a question that has a vague from clause, such as from all machines with Is Windows not equals true. In this case, Windows endpoints on which the Is Windows sensor is quarantined would match the condition not equals true because their response would be TSE-Error: The sensor is quarantined rather than true. To avoid such outcomes, make the target clause as specific as possible and do not use negative matching conditions such as not equals true. View quarantined sensorsIf the Tanium Client does not answer a question, you can determine whether the associated sensors are quarantined. To see a list of all the quarantined sensors on all endpoints, see Tanium Console User Guide: Manage sensor quarantines. To list all the quarantined sensors on a specific endpoint, perform the following steps:
Remove all sensors from quarantineIn some cases, enabling the Tanium Client to answer questions that use quarantined sensors might be more important than limiting the impact that long sensor run times have on the resources of an endpoint. Note that even after you remove the sensors from quarantine, if they exceed the timeout in a future question, the Tanium Client will then stop the sensors and quarantine them again without answering the question. To remove sensors from quarantine through the Tanium Console, see Tanium Console User Guide: Manage sensor quarantines. To remove sensors from quarantine through the operating system CLI on the endpoint, perform the following steps:
Remove a single sensor from quarantineTo remove a sensor from quarantine through the Tanium Console, see Tanium Console User Guide: Manage sensor quarantines. To remove a sensor from quarantine through the operating system CLI on the endpoint, perform the following steps:
If you modify a sensor, Tanium Clients that receive its new definition automatically remove that sensor from quarantine. Add a sensor to quarantineYou can manually quarantine a sensor on an endpoint if you anticipate that running the sensor will negatively affect the endpoint. Quarantining a sensor does not automatically enable quarantine enforcement.
Enable or disable enforcement of quarantined sensorsAfter you enable quarantine enforcement, Tanium Clients do not answer questions that use quarantined sensors and those sensors do not run for actions. After you disable enforcement, clients still quarantine sensors and log quarantine events, but do not prevent those sensors from running. Your user account must have a role with the Global Settings write permission to enable or disable quarantine enforcement. Users with the Administrator reserved role have this permission. The first time you enable enforcement, you must add the EnableSensorQuarantine setting to the platform settings on the Tanium Server as follows. By default, enforcement is disabled and the setting does not appear in the Tanium Console. After you add the setting, the Tanium Server applies it to all Tanium Clients.
Perform the following steps if you want to change the enforcement setting after adding it to the platform settings:
If you want to change the enforcement setting in specific clients instead of all clients, add or edit the EnableSensorQuarantine setting in the local configuration of those clients. Add or edit the EnableSensorQuarantine setting on the Tanium Clients for which you want to enable or disable quarantine enforcement. Troubleshoot Client ManagementTo send information to Tanium for troubleshooting, collect logs and other relevant information. Collect logsYou can save Client Management logs as a ZIP file that you can download with your browser.
View and configure logsOn Windows infrastructure, Tanium Client Management records service logs in the client-management.log file in the \Program Files\Tanium\Tanium Module Server\services\client-management-files directory on the Module Server. Adjust log level
Adjust log retention
Download deployment informationYou can download a JSON file that includes deployment settings and endpoint details for a deployment.
Troubleshoot deployment issuesIssue: A new deployment instantly switches to the Completed status with no attempted deployments to endpointsCause: The Module Server is having trouble downloading the client binaries. Solution: Check the TDownloader log for download errors. For information about where to find this log, see Tanium Core Platform Deployment Reference Guide: TDownloader logs. Issue: Endpoint Installation Status = ERROR_CONNECTION_FAIL with "no response" log messageLog messages for the deployment contain the following message: Deployment Result Generated: All n connection attempt(s) resulted in no response from the target. Cause: The Tanium Module Server cannot communicate with the endpoint, or cannot authenticate with the endpoint. Solution: Check the following items.
Issue: Endpoint Installation Status = ERROR_CONNECTION_FAIL with SSH connection log messageLog messages for the deployment contain the following message: Command resulted in error: Error: Connection to 'SSH Client for '192.168.24.11'' was not established Cause: The Tanium Module Server is attempting an SSH deployment and cannot communicate with the endpoint, or cannot authenticate with the endpoint. Solution: Check the following items.
Issue: Endpoint Installation Status = ERROR_ACQUIRE_LOGS_FAIL with "necessary file missing" log messageLog messages for the deployment contain the following message: Deployment Result Generated: Necessary file(s) missing on disk: C:\Program Files\Tanium\Tanium Module Server\services\client-management-files\deployment-runner-data\bc6bf6fd-0388-4f2d-9120-860cac75e8d4\tanium.pub Cause: When you are deploying a version of the Tanium Client earlier than 7.4, the public key is missing. Solution: Upload the tanium.pub file. See (Tanium 7.3.x only) Upload the Tanium public key. Issue: Endpoint Installation Status = ERROR_ACQUIRE_LOGS_FAIL with "cli_rpc_pipe_open_noauth" log messageLog messages for the deployment contain the following message: Error creating/starting the installation bootstrap service on the target: Error: cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe svcctl failed with error NT_STATUS_CONNECTION_DISCONNECTED Could not initialise pipe svcctl. Error was NT_STATUS_CONNECTION_DISCONNECTED Cause: The Tanium Server could not establish WMI or RPC communication with an endpoint. Solution: Verify that the firewall allows WMI, RPC, and SMB traffic between Tanium servers and endpoints. For more information, see Network connectivity, ports, and firewalls. Firewalls with application-based control might not allow this traffic for Tanium by default. Issue:Endpoint Installation Status = ERROR_ACQUIRE_LOGS_FAIL with "'mkdir' command exited" log messageLog messages for the deployment contain the following message: SMB 'mkdir' command exited with exit code 1. Cause: A Tanium Client might have been previously installed on the endpoint and not fully removed. Solution: Verify that you are not trying to deploy to an endpoint that already has the Tanium Client installed. The endpoint could have a Tanium Client that was not fully removed, or a Tanium Client installation that points to a different Tanium Server or Zone Server. Uninstall Client ManagementUninstalling Client Management also uninstalls Endpoint Configuration and affects all Tanium solutions. Contact Tanium support before you uninstall Client Management.
Contact Tanium SupportTanium Support is your first contact for help when troubleshooting the initial deployment and for optimizing the speed and scale of your deployment as the number of managed endpoints grows. As necessary, Tanium Support can help adjust Tanium Client-related settings, including:
If you require further assistance from Tanium Support, include Tanium Client and, if applicable, Tanium Client Management version information for Tanium Core Platform components and, if applicable, Tanium Client Management. Also include specific details on dependencies, such as the host system hardware and OS details. Finally, indicate if your installation uses a non-default installation directory for the Tanium Client. To contact Tanium Support for help, sign in to https://support.tanium.com. What is a Windows answer file?An answer file is an XML-based file that contains setting definitions and values to use during Windows Setup. In an answer file, you specify various setup options. These options include how to partition disks, where to find the Windows image that will be installed, and which product key to apply.
How do I create a Windows answer file?Create and modify an answer file. Step 1: Create a catalog file. Start Windows System Image Manager. ... . Step 2: Create an answer file. Click File > New Answer File. ... . Step 3: Add new answer file settings. Add OEM info: ... . Step 4: Save the answer file. ... . Step 5: Create a script.. What is a distribution for Windows 10?A distribution share is an optional storage folder for third-party drivers, applications, and packages that Microsoft issues (such as updates). You can create a distribution-share folder by using Windows® System Image Manager (Windows SIM) or by using a manual technique.
How is the answer file used?Answer File is a text file that can be used to perform an unattended installation of a Microsoft Windows operating system like Windows 10.
|