Reference: Tanium Client settings and CLI

Tanium Client settings reference

For information about reviewing and modifying client settings, see Managing client settings and Index configurations.

 Table 1: Tanium Client settings

Setting Name	Applies to OS Platforms	Windows Registry Value Type	Non-Windows Setting Type	Description	Modify
ClientCacheLimitInMB1	All supported	REG_DWORD	NUMERIC	The size limit, in MB, for the file cache on an endpoint. The default is 2048. For more information, see Chunk caching.	As necessary
ComputerID	All supported	REG_DWORD	NUMERIC	Value that Tanium Cloud the Tanium Server assigned to the client to uniquely identify and track each managed endpoint.	No
DatabaseEpoch	All supported	REG_SZ	STRING	Typically, this setting indicates the date and time when Tanium Cloud the Tanium Server was deployed.	No
EnableRandomListeningPort	All supported	REG_DWORD	NUMERIC	Enables (1) or disables (0) the randomized selection of a new listening port at intervals. The client uses the port for communication from peer clients. If another application is already using the selected port, the client selects another port immediately instead of at the next interval. By default, EnableRandomListeningPort is disabled and the client uses a fixed listening port (default is 17472). For details and best practices, see Customize listening ports. Randomize listening ports only if it is required by rules in your organization. Using randomized listening ports requires more complex firewall rules to allow client communication, and it makes troubleshooting issues with client communication more difficult.	As necessary
EnableSensorQuarantine	All supported	REG_DWORD	NUMERIC	Add this setting and set the value to 1 if you want to enable the enforcement of sensor quarantines on a particular endpoint. By default, the setting is not present and enforcement is disabled. If you already added the setting, you can disable enforcement by setting the value to 0. You can also use the Tanium Console to enable or disable enforcement for all endpoints. For details, see Enable or disable enforcement of quarantined sensors.	As necessary
FirstInstall	All supported	REG_SZ	STRING	Date and time of the initial Tanium Client installation.	No
HostDomainName	Non‑Windows	N/A	STRING	Required only when the client does not return the domain name correctly in question results. The value that you specify for this setting overrides the data that the client OS would otherwise return. Specify just the domain portion of the fully qualified domain name (FQDN). For example, if the FQDN is host.example.com, specify example.com.	As necessary
HostFQDN	Non‑Windows	N/A	STRING	Another option (besides HostDomainName) for cases where the client does not return the hostname and domain name correctly in question results. The value that you specify for this setting overrides the data that the client OS would otherwise return. Specify the complete FQDN, including hostname, such as host.example.com.	As necessary
LastInstall	All supported	REG_SZ	STRING	Date and time of latest Tanium Client installation.	No
LastGoodServerName	All supported	REG_SZ	STRING	The FQDN from the Tanium Cloud Client Edge URL name of the Tanium Server or Zone Server with which the Tanium Client last connected successfully. If the client cannot reach an FQDN a server that the ServerNameList or ServerName setting specifies, the client tries to connect to the FQDN server that LastGoodServerName specifies. You do not set LastGoodServerName; the client defines it automatically. To avoid this fallback behavior during testing, troubleshooting, or migration scenarios, delete the LastGoodServerName value.	No
ListenPort	All supported	REG_DWORD	NUMERIC	This setting specifies the port on which the client listens for communication from peer clients. By default, this setting is empty, and the client listens for communication from peer clients on the port specified for the ServerPort setting, which is always 17472 for Tanium Cloud.setting. When you configure a value for the ListenPort setting, it overrides the ServerPort setting for communication between clients. For details and best practices, see Customize listening ports.	As necessary
LogFileSize	All supported	REG_DWORD	NUMERIC	The size threshold in bytes that Tanium Client logs must reach before the client rotates them.	As necessary
LogPath	All supported	REG_SZ	STRING	By default, the Tanium Client writes its logs to the <Tanium Client>/Logs subdirectory. You can use the LogPath setting to define an alternative absolute path for the logs. For example: LogPath=/tmp.	As necessary
LogVerbosityLevel1	All supported	REG_DWORD	NUMERIC	The level of logging on an endpoint. The following values are best practices for specific use cases: 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints. 1 (default): Use this value during normal operation. 41: Use this value during troubleshooting. 91 or higher: Use this value for full logging, for short periods of time only. By default, this setting is not present if you did not set the logging level when deploying the Tanium Client. If you are using a package to configure this setting, you can use the Set Windows Tanium Client Logging Level or Set Tanium Client Logging Level [Non-Windows] package.	As necessary
Logs.extensions.LogVerbosityLevel1	All Supported	REG_DWORD	NUMERIC	The level of logging for client extensions (such as the Tanium™ Client Recorder Extension and Tanium™ Index) on an endpoint. The following values are best practices for specific use cases: 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints. 11 (default): Use this value during normal operation. 41: Use this value during troubleshooting. 91 or higher: Use this value for full logging, for short periods of time only.
Path	Windows	REG_SZ	N/A	Path to the Tanium Client installation directory. If none is specified, the Tanium Client assumes the default path for the OS. For Linux, Solaris, and AIX, you can use symbolic links. For more information, see the following sections: Move an existing installation of the Tanium Client on Linux Move an existing installation of the Tanium Client on Solaris Move an existing installation of the Tanium Client on AIX	As necessary
PeerNeighborhood	All Supported	REG_SZ	STRING	A neighborhood name that designates clients that should be allowed to peer regardless of NAT IP. For details, see Configure intentional subnets.
ProxyAutoConfigAddress	Windows	REG_SZ	N/A	The URL and file name (in the format http[s]://<PAC file URL>/<PAC file name>.pac) of a proxy auto configuration (PAC) file that the Tanium Client can access. The PAC file defines how clients connect to Tanium Cloud the Tanium Server or Zone Server: directly or through a Hypertext Transfer Protocol Secure (HTTPS) proxy server. The client downloads the file from the URL that you specify and runs a script that the file contains to select the correct proxy for connecting to a particular server. If no proxy is available, the client falls back to connecting directly with Tanium Cloud the Tanium Server or Zone Server. For details, see Configure proxy connections with a PAC file.	As necessary
ProxyServers	All supported	REG_SZ	STRING	The IP address or FQDN, and port number, of the HTTPS proxy server through which the Tanium Client connects to Tanium Cloud the Tanium Server or Zone Server. You can specify multiple proxies as a comma-separated list in the format "<proxy1>:<port>,...,<proxyN>:<port>". The client tries to connect to the proxies in the order that you list them. After any single connection succeeds, the client stops trying to connect with more proxies. If no proxy is available, the client falls back to connecting directly with Tanium Cloud the Tanium Server or Zone Server. For details, see Configure proxy connections without a PAC file.	As necessary
RandomListeningPortExclusions	All supported	REG_DWORD	NUMERIC	Specifies ports that the client never selects as a listening port if you enable EnableRandomListeningPort. For example, to prevent port competition conflicts, you might specify ports that other applications use. If you specify multiple exclusions, use a comma to separate each port. By default, the client does not exclude any ports that are within the range that the RandomListeningPortMin and RandomListeningPortMax settings define. For details and best practices, see Customize listening ports.	As necessary
RandomListeningPortMax	All supported	REG_DWORD	NUMERIC	Specifies the high end of the range of ports from which the client randomly selects a listening port if you enabled EnableRandomListeningPort. The default is port 64000 For details and best practices, see Customize listening ports.	As necessary
RandomListeningPortMin	All supported	REG_DWORD	NUMERIC	Specifies the low end of the range of ports from which the client randomly selects a listening port if you enabled EnableRandomListeningPort. The default is port 32000. For details and best practices, see Customize listening ports.	As necessary
RandomListeningPortTTLInHours	All supported	REG_DWORD	NUMERIC	Specifies the interval in hours at which the client selects a new listening port if you enabled EnableRandomListeningPort. The default is 24 hours. Do not set the value lower than the client reset interval, which by default is a random interval in the range of 2 to 6 hours. For details and best practices, see Customize listening ports.	As necessary
RegistrationCount	All supported	REG_DWORD	NUMERIC	Count of completed registrations. This value, in conjunction with the ComputerID, enables Tanium Cloud the Tanium Server to detect duplicate Computer IDs. If the RegistrationCount value that Tanium Cloud the Tanium Server maintains does not match the value that the client reports, Tanium Cloud the server assigns a new, unique ComputerID to the endpoint to resolve the apparent ComputerID duplication. For details, see Registration and ComputerID.	No
ReportingTLSMode, OptionalTLSMinAttemptCount, OptionalTLSBackoffIntervalSeconds, OptionalTLSMaxBackoffSeconds, Server_ReportingTLSMode, Server_OptionalTLSMinAttemptCount, Server_OptionalTLSBackoffIntervalSeconds, Server_OptionalTLSMaxBackoffSeconds	All supported	REG_DWORD	NUMERIC	Tanium Cloud automatically manages all TLS settings for the Tanium Client. Tanium Core Platform supports TLS communication for connections from Tanium Clients to the Tanium Server or Zone Server and for communication between Tanium Client 7.4 peers. For details, see the Tanium Core Platform Deployment Reference Guide: Setting up TLS communication.	As necessary
Resolver	Non‑Windows	N/A	STRING	Program to invoke for resolving the IP address of Tanium Cloud the Tanium Server. The default is getent. For AIX and Solaris, set this to nslookup. The options are as follows: getent, getenta, host, nslookup, dig, and res_search.	As necessary
ServerName	All supported	REG_SZ	STRING	FQDN from the Tanium Cloud Client Edge URL FQDN or IP address of the Tanium Server or Zone Server with which the client tries to connect.connect, selected from ServerNameList. For details, see ServerName. If you are using a package to configure this setting, you can use the Set Tanium Server Name or Set Tanium Server Name [Non-Windows] package.	As necessary No
ServerNameList	All supported	REG_SZ	STRING	Comma-separated list of Tanium Server and Zone Server FQDNs or IP addresses FQDNs from Tanium Cloud Client Edge URLs with which the client can try to connect. For details, see ServerNameList. Do not modify this setting, except during initial configuration of the Tanium Client when a tanium-init.dat file that includes the appropriate FQDNs is unavailable, or as directed by Tanium Support. If you are using a package to configure this setting, you can use the Set Tanium Server Name List or Set Tanium Server Name List [Non-Windows] package.	As necessary As directed by Tanium Support
ServerPort	All supported	REG_DWORD	NUMERIC	The port to use for client-server and, by default, client-client communication. The default is 17472. For details, see ServerPort.In Tanium Cloud, the port is always 17472. If you configure the ListenPort or EnableRandomListeningPort setting, it overrides ServerPort for client-client communication. For more information, see Customize listening ports.	As necessary No
StateProtectedFlag	All supported	REG_DWORD	NUMERIC	Enables encryption of the client state and sensor queries stored on the client By default, read access to the Tanium Client directory is restricted for non-Administrators. However, encrypting the client state and sensor queries can provide additional protection. For information about additional measures to protect the Tanium Client on Windows endpoints, see (Optional) Harden the Tanium Client on Windows.	As necessary
Version	All supported	REG_SZ	STRING	Tanium Client version number.	No
1 You can apply this setting using a settings configuration in Tanium Client Management. See Managing client settings and Index configurations in Client Management.

Tuning Tanium Client settings for VDI endpoints and other endpoints with limited resources

For information about creating an image with the Tanium Client for VDI environments, see Preparing the Tanium Client on a virtual desktop infrastructure (VDI) instance.

If you are deploying the Tanium Client to virtual desktop infrastructure (VDI) instances or other endpoints with limited resources, you might need to adjust certain client settings to help to reduce resource usage. The following table lists the best practice adjustments to client settings for VDI instances. These settings help avoid concentrated resource usage on shared hardware. All settings in the following table are of the registry type REG_DWORD for Windows, or of the type NUMERIC for non-Windows. For information about reviewing and modifying client settings, see Managing client settings and Index configurations.

 Table 2: Best practice client settings for VDI instances

Client Setting	Default Value	Best Practice Value for VDI	Explanation
RandomSensorDelayInSeconds	0	20	By default, sensors run immediately. This setting delays the execution of any sensor by a random time up to 20 seconds, which reduces concurrent execution of sensors and packages.
MaxAgeMultiplier	1	2	Each sensor has a Max Sensor Age setting that determines how long the client caches sensor results for subsequent questions that include the same sensor. This setting causes the client to multiply the maximum age configured for each sensor by 2, which doubles the time results are cached for each sensor and reduces sensor executions.
MinDistributeOverTimeInSeconds	0	60	Each action has a Distribute Over setting that randomizes the distribution of that action over the specified time. By default, no minimum applies, and some actions might be configured for immediate distribution. This setting forces all actions to distribute over at least 1 minute.
LogVerbosityLevel	1	0	Disable logging to reduce disk writes. Temporarily re-enable logging on individual endpoints for troubleshooting.
Logs.extensions.LogVerbosityLevel	11	0	Disable Tanium™ Client Extensions logging to reduce disk writes. Temporarily re-enable logging on individual endpoints for troubleshooting.
SaveClientStateIntervalInSeconds	300	1800	By default, the client state is written to disk every 5 minutes. This setting increases the time to 30 minutes to reduce disk writes.

You can apply these settings using a settings configuration in Tanium Client Management. See Managing client settings and Index configurations in Client Management.

Configure isolated subnets for virtual desktop infrastructure (VDI) instances in a high-density environment with shared storage or for any other virtual endpoints where concurrent disk I/O operations must be limited. Endpoints cache file chunks to share distributed files with peers, which requires multiple endpoints in the linear chain to concurrently read and write file chunks. Isolating an endpoint reduces the concurrent disk I/O that normally occurs when this cache is used to share files with peers. For more information, see File distribution. For the configuration steps, see Configure isolated subnets.

To identify existing VDI clients for tuning, ask a question appropriate for your environment, and then drill down as necessary. The following table lists example questions that you might ask to identify VDI clients.

 Table 3: Example questions to identify VDI clients

Identification method	Example question
Model	Get Is Virtual from all machines with Is Virtual equals yes Get Chassis Type from all machines with Chassis Type contains virtual Get Model from all machines with Model contains Standard PC
Host name	Get Computer Name contains VM-PC- from all machines
Active Directory attributes	Get AD Query - Computer Attributes[Description] contains " VDI " from all machines Get AD Query - Computer Groups equals VDI from all machines
MAC address	Get MAC Address starts with "00:1c:42" from all machines
IP address	Get Tanium Client Subnet matches "^192\.168\.(14|16|88|222)\.0\/23$" from all machines Get IP Address matches "^192\.168\.[0-2]\.\d{1,3}$" from all machines
Hardware	Get Disk Drive Details having Disk Drive Details:Name equals QEMU HARDDISK ATA Device from all machines

You can also adjust these settings to increase performance on physical endpoints with hardware specifications near the minimum requirements for the Tanium Client, cloud-hosted endpoints, and endpoints where CPU performance must be prioritized, but the appropriate values depend on your environment and business requirements. For assistance with tuning these settings, contact Tanium Support.

The performance of certain features in some Tanium solutions also depends on the resources available on endpoints. For more information about requirements for specific Tanium solutions, go to https://docs.tanium.com/ and review the documentation for that solution.

Peering settings reference

When Tanium Clients register with Tanium Cloud the Tanium Server, they also receive values for settings that relate to peering and sensor data. Clients write these settings to the Status registry subkey on Windows endpoints and to the SQLite database (client.db) on non-Windows endpoints. You do not edit these settings, but their values might help you understand expected behavior when troubleshooting peering. You can ask questions to see the values of some of these settings. See Use questions to review peering settings. Contact Tanium Support for more assistance.

 Table 4: Tanium Client peer settings

Setting Name	Description
BackPeerAddress	Address details for the current backward peer. Use the Tanium Back Peer Address sensor (Client Management content set) to see the value for this setting.
BackPreviousPeerAddress	Address details for the previous backward peer.
BufferCount	Number of buffered messages that are currently queued for the Tanium Client to process. Use the Tanium Buffer Count sensor (Client Management content set) to see the value for this setting.
ClientAddress	Address details for the client host endpoint. Use the Tanium Client IP Address sensor (Base content set) to see the value for this setting.
NeighborhoodList	Connection details that Tanium Cloud the Tanium Server provides for up to ten forward and ten backward peers. Use the Tanium Client Neighborhood sensor (Client Management content set) to see neighborhood information.
PeerAddress	Address details for the current forward peer. Use the Tanium Peer Address sensor (Client Management content set) to see the value for this setting.
PreviousPeerAddress	Address details for the previous forward peer.
StaleCount	Count of sensors with stale data.
StaleList	List of sensors with stale data.

Tanium Client command line interface (CLI)

CLI on Windows endpoints

Tanium Client settings are written to the Windows registry. The executable program for the CLI, TaniumClient.exe, is in the Tanium Client installation directory. The following examples demonstrate useful CLI commands:

• Display TaniumClient.exe syntax, commands, and options: TaniumClient --help
• Display the configuration (config) command syntax and actions: TaniumClient config --help
• Display the current configuration settings: TaniumClient config list

For the complete list of client settings that are configurable using the CLI, see Tanium Client settings reference.

The following example shows how to set and confirm the FQDNs from the Tanium Cloud Client Edge URLs fully qualified domain names (FQDNs) of the Tanium Server with which the Tanium Client can connect: connect in an active-active deployment:

cmd-prompt> TaniumClient config set ServerNameList example-zsb1.cloud.tanium.com,example-zsb2.cloud.tanium.comts1.tam.local,ts2.tam.local
cmd-prompt> TaniumClient config get ServerNameList
example-zsb1.cloud.tanium.com,example-zsb2.cloud.tanium.comts1.tam.local,ts2.tam.local

Do not modify the ServerNameList setting, except during initial configuration of the Tanium Client when a tanium-init.dat file that includes the appropriate FQDNs is unavailable, or as directed by Tanium Support.

The following example shows how to configure the connection between Tanium Client 7.4 or later and the Tanium Server to require TLS, and then to confirm that TLS is required:

cmd-prompt> TaniumClient config set TLSMode 1

cmd-prompt> TaniumClient config get TLSMode

1

CLI on non-Windows endpoints

Tanium Client settings are written to an SQLite database. The executable program for the CLI, TaniumClient, is in the Tanium Client installation directory. You must either run it as root or use sudo to elevate permissions. The following examples demonstrate useful CLI commands:

• Display TaniumClient syntax, commands, and options: sudo ./TaniumClient --help
• Display the configuration (config) command syntax and actions: sudo ./TaniumClient config -h
• Display the current configuration settings: sudo ./TaniumClient config list

For the complete list of client settings that are configurable using the CLI, see Tanium Client settings reference.

The following example shows how to set and confirm the FQDNs from the Tanium Cloud Client Edge URLsFQDNs of the Tanium Server with which the Tanium Client can connect connect: connect in an active-active deployment:

cmd-prompt> sudo ./TaniumClient config set ServerNameList example-zsb1.cloud.tanium.com,example-zsb2.cloud.tanium.comts1.tam.local,ts2.tam.local
cmd-prompt> sudo ./TaniumClient config get ServerNameList
example-zsb1.cloud.tanium.com,example-zsb2.cloud.tanium.comts1.tam.local,ts2.tam.local

Do not modify the ServerNameList setting, except during initial configuration of the Tanium Client when a tanium-init.dat file that includes the appropriate FQDNs is unavailable, or as directed by Tanium Support.

The following example shows how to configure the connection between Tanium Client 7.4 or later and the Tanium Server to require TLS, and then to confirm that TLS is required:

cmd-prompt> sudo ./TaniumClient config set TLSMode 1
cmd-prompt> sudo ./TaniumClient config get TLSMode
1