Reference: Tanium Client CLI and client settings

The Tanium Client provides a command-line interface (CLI) for viewing and changing client settings.

CLI on Windows endpoints

Tanium Client settings are written to the Windows registry. The executable program for the CLI, TaniumClient.exe, is in the Tanium Client installation directory. The following examples demonstrate useful CLI commands:

  • Display TaniumClient.exe syntax, commands, and options: TaniumClient --help
  • Display the configuration (config) command syntax and actions: TaniumClient config --help
  • Display the current configuration settings: TaniumClient config list

For the complete list of client settings that are configurable using the the CLI, see Tanium Client settings.

The following example shows how to set and confirm the fully qualified domain names (FQDNs) of TaaS instances the Tanium Server with which the Tanium Client can connect in an active-active deployment:

cmd-prompt> TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.tam.local,ts2.tam.local
cmd-prompt> TaniumClient config get ServerNameList
taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.tam.local,ts2.tam.local

The following example shows how to configure the connection between Tanium Client 7.4 or later and the Tanium Server to require TLS, and then to confirm that TLS is required:

cmd-prompt> TaniumClient config set TLSMode 1
cmd-prompt> TaniumClient config get TLSMode
1

CLI on non-Windows endpoints

Tanium Client settings are written to an SQLite database. The executable program for the CLI, TaniumClient, is in the Tanium Client installation directory. You must either run it as root or use sudo to elevate permissions. The following examples demonstrate useful CLI commands:

  • Display TaniumClient syntax, commands, and options: sudo ./TaniumClient --help
  • Display the configuration (config) command syntax and actions: sudo ./TaniumClient config -h
  • Display the current configuration settings: sudo ./TaniumClient config list

For the complete list of client settings that are configurable using the the CLI, see Tanium Client settings.

The following example shows how to set and confirm the FQDNs of TaaS instances the Tanium Server with which the Tanium Client can connect in an active-active deployment:

cmd-prompt> sudo ./TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.tam.local,ts2.tam.local
cmd-prompt> sudo ./TaniumClient config get ServerNameList
taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.tam.local,ts2.tam.local

The following example shows how to configure the connection between Tanium Client 7.4 or later and the Tanium Server to require TLS, and then to confirm that TLS is required:

cmd-prompt> sudo ./TaniumClient config set TLSMode 1
cmd-prompt> sudo ./TaniumClient config get TLSMode
1

Tanium Client settings

Initially, you set Tanium Client settings when installing the client. TaaS The Tanium Server or Zone Server sends setting updates when the client registers. The location of the settings varies by operating system.

Windows

On Windows endpoints, Tanium Client settings are Windows registry settings. The path to Tanium Client registry keys is HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Client. Use the CLI on Windows endpoints to configure Tanium Client settings.

The Tanium Client registry key includes subkeys: Sensor Data, Status, and ValueSystem. Typically, the subkey values are set during client installation and are not subsequently modified except when Tanium actions or sensors are updated. The Status subkey holds the information that the client receives from TaaS the Tanium Server during registration.

Do not edit the values for these subkeys. The information might help you understand expected behavior when troubleshooting peering. Contact Tanium Support for more assistance.

Non-Windows

The settings are stored in an SQLite database. Use the Tanium Client CLI on Non-Windows endpoints to configure the settings.

Settings reference

Tanium Client settings are initialized upon registration or service restart.

 Table 1: Tanium Client settings
Setting Name Type (Windows) Description Modify
ComputerID REG_DWORD Value that TaaS the Tanium Server assigned to the client to uniquely identify and track each managed endpoint. No
DatabaseEpoch REG_SZ Typically, this setting indicates the date and time when TaaS the Tanium Server was deployed. No
EnableRandomListeningPort REG_DWORD TaaS does not support this setting. Enables (1) or disables (0) the randomized selection of a new listening port at intervals. The client uses the port for communications from peer clients. If another application is already using the selected port, the client selects another port immediately instead of at the next interval. For details, see Randomize listening ports. By default, EnableRandomListeningPort is disabled and the client uses a fixed listening port (default is 17472). As necessary
EnableSensorQuarantine REG_DWORD Add this setting and set the value to 1 if you want to enable the enforcement of sensor quarantines on a particular endpoint. By default, the setting is not present and enforcement is disabled. If you already added the setting, you can disable enforcement by setting the value to 0. You can also use the Tanium Console to enable or disable enforcement for all endpoints. For details, see Enable or disable enforcement of quarantined sensors. As necessary
FirstInstall REG_SZ Date and time of the initial Tanium Client installation. No
HostDomainName N/A - non-Windows only Required only when the client does not return the domain name correctly in question results. The value that you specify for this setting overrides the data that the client OS would otherwise return.

Specify just the domain portion of the fully qualified domain name (FQDN). For example, if the FQDN is host.example.com, specify example.com.

As necessary
HostFQDN N/A - non-Windows only Another option (besides HostDomainName) for cases where the client does not return the hostname and domain name correctly in question results. The value that you specify for this setting overrides the data that the client OS would otherwise return.

Specify the complete FQDN, including hostname, such as host.example.com.

As necessary
LastInstall REG_SZ Date and time of latest Tanium Client installation. No
LastGoodServerName REG_SZ The name of the TaaS instance the Tanium Server or Zone Server with which the Tanium Client last connected successfully. If the client cannot reach an instance server that the ServerNameList or ServerName setting specifies, the client tries to connect to the instance server that LastGoodServerName specifies. You do not set LastGoodServerName; the client defines it automatically.

To avoid this fallback behavior during testing, troubleshooting, or migration scenarios, delete the LastGoodServerName value.

No
ListenPort REG_DWORD This setting indicates the port (17472) on which the client listens for communications from peer clients. The default is 17472. However, if you install the client on the Tanium Server or Zone Server (Windows deployment only), the default port is 17473. If you enable EnableRandomListeningPort, do not configure ListenPort because the client overwrites the value whenever it selects a new port.
Changes to ListenPort automatically affect the Tanium Client API port, which is one port number higher. For example, if you set ListenPort to 17473, the client API port becomes 17474.

ListenPort overrides the ServerPort setting for client-client communication.

As necessary
LogFileSize REG_DWORD The size threshold in bytes that Tanium Client logs must reach before the client rotates them. As necessary
LogPath REG_SZ By default, the Tanium Client writes its logs to the <Tanium Client>/Logs subdirectory. You can use the LogPath setting to define an alternative absolute path for the logs. For example: LogPath=/tmp. As necessary
LogVerbosityLevel REG_DWORD

The level of logging on an endpoint. The following values are best practices for specific use cases:

  • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 1: Use this value during normal operation.
  • 41: Use this value during troubleshooting.
  • 91 or higher: Use this value for full logging, for short periods of time only.

By default, this setting is not present if you did not set the logging level when deploying the Tanium Client.

As necessary
Path REG_SZ (Windows only) Path to the Tanium Client installation directory. If none is specified, the Tanium Client assumes the default path for the OS.

For AIX, Linux and Solaris, you can use symbolic links. See the article on using symbolic links in the Tanium Support Knowledge Base (sign in required).

As necessary
ProxyAutoConfigAddress REG_DWORD (Windows only) The URL and file name (in the format http[s]://<PAC file URL>/<PAC file name>.pac) of a proxy auto configuration (PAC) file that the Tanium Client can access. The PAC file defines how clients connect to TaaS the Tanium Server or Zone Server: directly or through a Hypertext Transfer Protocol Secure (HTTPS) proxy server. The client downloads the file from the URL that you specify and runs a script that the file contains to select the correct proxy for connecting to a particular server. If no proxy is available, the client falls back to connecting directly with TaaS the Tanium Server or Zone Server. For details, see Configure proxy connections with a PAC file. As necessary
ProxyServers REG_DWORD The IP address or FQDN, and port number, of the HTTPS proxy server through which the Tanium Client connects to TaaS the Tanium Server or Zone Server. You can specify multiple proxies as a comma-separated list in the format "<proxy1>:<port>,...,<proxyN>:<port>". The client tries to connect to the proxies in the order that you list them. After any single connection succeeds, the client stops trying to connect with more proxies. If no proxy is available, the client falls back to connecting directly with TaaS the Tanium Server or Zone Server. For details, see Configure proxy connections without a PAC file. As necessary
RandomListeningPortExclusions REG_DWORD TaaS does not support this setting. Specifies ports that the client never selects as a listening port if you enable EnableRandomListeningPort. For example, to prevent port competition conflicts, you might specify ports that other applications use. If you specify multiple exclusions, use a comma to separate each port. By default, the client does not exclude any ports that are within the range that the RandomListeningPortMin and RandomListeningPortMax settings define. As necessary
RandomListeningPortMax REG_DWORD TaaS does not support this setting. Specifies the high end of the range of ports from which the client randomly selects a listening port if you enabled EnableRandomListeningPort. The default is port 64000. As necessary
RandomListeningPortMin REG_DWORD TaaS does not support this setting. Specifies the low end of the range of ports from which the client randomly selects a listening port if you enabled EnableRandomListeningPort. The default is port 32000. As necessary
RandomListeningPortTTLInHours REG_DWORD TaaS does not support this setting. Specifies the interval in hours at which the client selects a new listening port if you enabled EnableRandomListeningPort. The default is 24 hours. Do not set the value lower than the client reset interval, which by default is a random interval in the range of 2 to 6 hours. As necessary
RegistrationCount REG_DWORD Count of completed registrations. This value, in conjunction with the ComputerID, enables TaaS the Tanium Server to detect duplicate Computer IDs. If the RegistrationCount value that TaaS the Tanium Server maintains does not match the value that the client reports, TaaS the server assigns a new, unique ComputerID to the endpoint to resolve the apparent ComputerID duplication. For details, see Registration and ComputerID. No
ReportingTLSMode, OptionalTLSMinAttemptCount, OptionalTLSBackoffIntervalSeconds, OptionalTLSMaxBackoffSeconds, Server_ReportingTLSMode, Server_OptionalTLSMinAttemptCount, Server_OptionalTLSBackoffIntervalSeconds, Server_OptionalTLSMaxBackoffSeconds REG_DWORD TaaS automatically manages all TLS settings for the Tanium Client. Tanium Core Platform 7.2 or later supports TLS communication for connections from Tanium Clients to the Tanium Server or Zone Server. Tanium Core Platform 7.4 or later also supports TLS communication between Tanium Client 7.4 peers. For details, see the Tanium Core Platform Deployment Reference Guide: Setting up TLS communication. As necessary
Resolver N/A - non-Windows only Program to invoke for resolving the IP address of TaaS the Tanium Server. The default is getent. For AIX and OS X, set this to nslookup. The options are: getent, getenta, host, nslookup, dig, res_search, gethostbyname (OS X only), and getaddrinfo (OS X only). As necessary
ServerName REG_SZ FQDN or IP address of the TaaS instance the Tanium Server or Zone Server with which the client tries to connect. For details, see ServerName. As necessary
ServerNameList REG_SZ A comma-separated list of Tanium Server and Zone Server FQDNs or IP addresses for the TaaS instances with which the client can try to connect. For details, see ServerNameList. As necessary
ServerPort REG_DWORD The port to use for client-server and client-client communication. The default is 17472. For details, see ServerPort.In TaaS, the port is always 17472.

If you configure the ListenPort or EnableRandomListeningPort setting, it overrides ServerPort for client-client communication.I

As necessary No
Version REG_SZ Tanium Client version number. No

Tuning Tanium Client settings for VDI endpoints and other endpoints with limited resources

If you are deploying the Tanium Client to virtual desktop infrastructure (VDI) instances or other endpoints with limited resources, you might need to adjust certain client settings to help to reduce resource usage. The following table lists the best practice adjustments to client settings for VDI instances. These settings help avoid concentrated resource usage on shared hardware.

 Table 2: Best practice client settings for VDI instances
Client Setting Default Value Best Practice Value for VDI Explanation
RandomSensorDelayInSeconds 0 20 By default, sensors run immediately. This setting delays the execution of any sensor by a random time up to 20 seconds, which reduces concurrent execution of sensors and packages.
MaxAgeMultiplier 1 2 Each sensor has a Max Sensor Age setting that determines how long the client caches sensor results for subsequent questions that include the same sensor. This setting causes the client to multiply the maximum age configured for each sensor by 2, which doubles the time results are cached for each sensor and reduces sensor executions.
MinDistributeOverTimeInSeconds 0 60 Each action has a Distribute Over setting that randomizes the distribution of that action over the specified time. By default, no minimum applies, and some actions might be configured for immediate distribution. This setting forces all actions to distribute over at least 1 minute.
LogVerbosityLevel 1 0 Disable logging to reduce disk writes. Temporarily re-enable logging on individual endpoints for troubleshooting.
Logs.extensions.LogVerbosityLevel 11 0 Disable Tanium™ Client Extensions logging to reduce disk writes. Temporarily re-enable logging on individual endpoints for troubleshooting.
SaveClientStateIntervalInSeconds 300 1800 By default, the client state is written to disk every 5 minutes. This setting increases the time to 30 minutes to reduce disk writes.

To identify existing VDI clients for tuning, ask a question appropriate for your environment, and then drill down as necessary. The following table lists example questions that you might ask to identify VDI clients.

 Table 3: Example questions to identify VDI clients
Identification method Example question
Model

Get Is Virtual from all machines with Is Virtual equals yes

Get Chassis Type from all machines with Chassis Type contains virtual

Get Model from all machines with Model contains Standard PC

Host name

Get Computer Name contains VM-PC- from all machines

Active Directory attributes

Get AD Query - Computer Attributes[Description] contains " VDI " from all machines

Get AD Query - Computer Groups equals VDI from all machines

MAC address

Get MAC Address starts with "00:1c:42" from all machines

IP address

Get Tanium Client Subnet matches "^192.168.(14|16|88|222)/23$" from all machines

Hardware

Get Disk Drive Details having Disk Drive Details:Name equals QEMU HARDDISK ATA Device from all machines

You can also adjust these settings to increase performance on physical endpoints with hardware specifications near the minimum requirements for the Tanium Client, cloud-hosted endpoints, and endpoints where CPU performance must be prioritized, but the appropriate values depend on your environment and business requirements. For assistance with tuning these settings, contact Tanium Support.

The performance of certain features in some Tanium solutions also depends on the resources available on endpoints. For more information about requirements for specific Tanium solutions, go to https://docs.tanium.com/ and review the documentation for that solution.

Peering settings reference

When Tanium Clients register with TaaS the Tanium Server, they also receive values for settings that relate to peering and sensor data. Clients write these settings to the Status registry subkey on Windows endpoints and to the SQLite database (client.db) on non-Windows endpoints. You do not edit these settings, but their values might help you understand expected behavior when troubleshooting peering. You can ask questions to see the values of some of these settings: see Use questions to review peering settings. Contact Tanium Support for more assistance.

 Table 4: Tanium Client peer settings
Setting Name Description
BackPeerAddress Address details for the current backward peer. Use the Tanium Back Peer Address sensor (Client Management content set) to see the value for this setting.
BackPreviousPeerAddress Address details for the previous backward peer.
BufferCount Number of buffered messages that are currently queued for the Tanium Client to process. Use the Tanium Buffer Count sensor (Client Management content set) to see the value for this setting.
ClientAddress Address details for the client host endpoint. Use the Tanium Client IP Address sensor (Base content set) to see the value for this setting.
NeighborhoodList Connection details that TaaS the Tanium Server provides for up to ten forward and ten backward peers. Use the Tanium Client Neighborhood sensor (Client Management content set) to see neighborhood information.
PeerAddress Address details for the current forward peer. Use the Tanium Peer Address sensor (Client Management content set) to see the value for this setting.
PreviousPeerAddress Address details for the previous forward peer.
StaleCount Count of sensors with stale data.
StaleList List of sensors with stale data.