Reference: Tanium Client settings and CLI
Tanium Client settings reference
For information about reviewing and modifying client settings, see Managing client settings.
Setting Name | Applies to OS Platforms | Windows Registry Value Type | Non-Windows Setting Type | Description | Modify |
---|---|---|---|---|---|
ClientCacheLimitInMB1 | All supported | REG_DWORD | NUMERIC |
The size limit, in MB, for the file cache on an endpoint. The default is 100. For more information, see Chunk caching. |
As necessary |
ComputerID | All supported | REG_DWORD | NUMERIC | Value that |
No |
DatabaseEpoch | All supported | REG_SZ | STRING | Typically, this setting indicates the date and time when |
No |
EnableRandomListeningPort | All supported | REG_DWORD | NUMERIC |
|
As necessary |
EnableSensorQuarantine | All supported | REG_DWORD | NUMERIC | Add this setting and set the value to 1 if you want to enable the enforcement of sensor quarantines on a particular endpoint. By default, the setting is not present and enforcement is disabled. If you already added the setting, you can disable enforcement by setting the value to 0. |
As necessary |
FirstInstall | All supported | REG_SZ | STRING | Date and time of the initial Tanium Client installation. | No |
HostDomainName | Non‑Windows | N/A | STRING |
Required only when the client does not return the domain name correctly in question results. The value that you specify for this setting overrides the data that the client OS would otherwise return.
Specify just the domain portion of the fully qualified domain name (FQDN). For example, if the FQDN is host.example.com, specify example.com. |
As necessary |
HostFQDN | Non‑Windows | N/A | STRING |
Another option (besides HostDomainName) for cases where the client does not return the hostname and domain name correctly in question results. The value that you specify for this setting overrides the data that the client OS would otherwise return.
Specify the complete FQDN, including hostname, such as host.example.com. |
As necessary |
LastInstall | All supported | REG_SZ | STRING | Date and time of latest Tanium Client installation. | No |
LastGoodServerName | All supported | REG_SZ | STRING |
The To avoid this fallback behavior during testing, troubleshooting, or migration scenarios, delete the LastGoodServerName value. |
No |
ListenPort | All supported | REG_DWORD | NUMERIC | This setting indicates the port Changes to ListenPort automatically affect the Tanium Client API port, which is one port number higher. For example, if you set ListenPort to 17473, the client API port becomes 17474. ListenPort overrides the ServerPort setting for client-client communication. |
As necessary |
LogFileSize | All supported | REG_DWORD | NUMERIC | The size threshold in bytes that Tanium Client logs must reach before the client rotates them. | As necessary |
LogPath | All supported | REG_SZ | STRING | By default, the Tanium Client writes its logs to the <Tanium Client>/Logs subdirectory. You can use the LogPath setting to define an alternative absolute path for the logs. For example: LogPath=/tmp. | As necessary |
LogVerbosityLevel1 | All supported | REG_DWORD | NUMERIC |
The level of logging on an endpoint. The following values are best practices for specific use cases:
By default, this setting is not present if you did not set the logging level when deploying the Tanium Client. If you are using a package to configure this setting, you can use the Set Windows Tanium Client Logging Level or Set Tanium Client Logging Level [Non-Windows] package. |
As necessary |
Logs.extensions.LogVerbosityLevel1 | All Supported | REG_DWORD | NUMERIC |
The level of logging for client extensions (such as the Tanium™ Client Recorder Extension and Tanium™ Index) on an endpoint. The following values are best practices for specific use cases:
|
|
Path | Windows | REG_SZ | N/A |
Path to the Tanium Client installation directory. If none is specified, the Tanium Client assumes the default path for the OS. For Linux, Solaris, and AIX, you can use symbolic links. For more information, see the following sections: |
As necessary |
ProxyAutoConfigAddress | Windows | REG_SZ | N/A | The URL and file name (in the format http[s]://<PAC file URL>/<PAC file name>.pac) of a proxy auto configuration (PAC) file that the Tanium Client can access. The PAC file defines how clients connect to |
As necessary |
ProxyServers | All supported | REG_DWORD | NUMERIC | The IP address or FQDN, and port number, of the HTTPS proxy server through which the Tanium Client connects to |
As necessary |
RandomListeningPortExclusions | All supported | REG_DWORD | NUMERIC |
|
As necessary |
RandomListeningPortMax | All supported | REG_DWORD | NUMERIC |
|
As necessary |
RandomListeningPortMin | All supported | REG_DWORD | NUMERIC |
|
As necessary |
RandomListeningPortTTLInHours | All supported | REG_DWORD | NUMERIC |
|
As necessary |
RegistrationCount | All supported | REG_DWORD | NUMERIC | Count of completed registrations. This value, in conjunction with the ComputerID, enables |
No |
ReportingTLSMode, OptionalTLSMinAttemptCount, OptionalTLSBackoffIntervalSeconds, OptionalTLSMaxBackoffSeconds, Server_ReportingTLSMode, Server_OptionalTLSMinAttemptCount, Server_OptionalTLSBackoffIntervalSeconds, Server_OptionalTLSMaxBackoffSeconds | All supported | REG_DWORD | NUMERIC |
|
As necessary |
Resolver | Non‑Windows | N/A | STRING | Program to invoke for resolving the IP address of |
As necessary |
ServerName | All supported | REG_SZ | STRING |
If you are using a package to configure this setting, you can use the Set Tanium Server Name or Set Tanium Server Name [Non-Windows] package. |
|
ServerNameList | All supported | REG_SZ | STRING |
Comma-separated list of Do not modify this setting, except during initial configuration of the Tanium Client when a tanium-init.dat file that includes the appropriate FQDNs is unavailable, or as directed by Tanium Support. If you are using a package to configure this setting, you can use the Set Tanium Server Name List or Set Tanium Server Name List [Non-Windows] package. |
|
ServerPort | All supported | REG_DWORD | NUMERIC |
The port to use for client-server and client-client communication. If you configure the ListenPort or EnableRandomListeningPort setting, it overrides ServerPort for client-client communication. |
|
StateProtectedFlag | All supported | REG_DWORD | NUMERIC |
Enables encryption of the client state and sensor queries stored on the client By default, read access to the Tanium Client directory is restricted for non-Administrators. However, encrypting the client state and sensor queries can provide additional protection. For information about additional measures to protect the Tanium Client on Windows endpoints, see (Optional) Harden the Tanium Client on Windows. |
As necessary |
Version | All supported | REG_SZ | STRING | Tanium Client version number. | No |
1 You can apply this setting using a settings configuration in Tanium Client Management: see Managing client settings in Client Management. |
Tuning Tanium Client settings for VDI endpoints and other endpoints with limited resources
For information about creating an image with the Tanium Client for VDI environments, see Preparing the Tanium Client on a virtual desktop infrastructure (VDI) instance.
If you are deploying the Tanium Client to virtual desktop infrastructure (VDI) instances or other endpoints with limited resources, you might need to adjust certain client settings to help to reduce resource usage. The following table lists the best practice adjustments to client settings for VDI instances. These settings help avoid concentrated resource usage on shared hardware. All settings in the following table are of the registry type REG_DWORD for Windows, or of the type NUMERIC for non-Windows. For information about reviewing and modifying client settings, see Managing client settings.
Client Setting | Default Value | Best Practice Value for VDI | Explanation |
---|---|---|---|
RandomSensorDelayInSeconds | 0 | 20 | By default, sensors run immediately. This setting delays the execution of any sensor by a random time up to 20 seconds, which reduces concurrent execution of sensors and packages. |
MaxAgeMultiplier | 1 | 2 | Each sensor has a Max Sensor Age setting that determines how long the client caches sensor results for subsequent questions that include the same sensor. This setting causes the client to multiply the maximum age configured for each sensor by 2, which doubles the time results are cached for each sensor and reduces sensor executions. |
MinDistributeOverTimeInSeconds | 0 | 60 | Each action has a Distribute Over setting that randomizes the distribution of that action over the specified time. By default, no minimum applies, and some actions might be configured for immediate distribution. This setting forces all actions to distribute over at least 1 minute. |
LogVerbosityLevel | 1 | 0 | Disable logging to reduce disk writes. Temporarily re-enable logging on individual endpoints for troubleshooting. |
Logs.extensions.LogVerbosityLevel | 11 | 0 | Disable Tanium™ Client Extensions logging to reduce disk writes. Temporarily re-enable logging on individual endpoints for troubleshooting. |
SaveClientStateIntervalInSeconds | 300 | 1800 | By default, the client state is written to disk every 5 minutes. This setting increases the time to 30 minutes to reduce disk writes. |
You can apply these settings using a settings configuration in Tanium Client Management: see Managing client settings in Client Management.
To identify existing VDI clients for tuning, ask a question appropriate for your environment, and then drill down as necessary. The following table lists example questions that you might ask to identify VDI clients.
Identification method | Example question |
---|---|
Model |
Get Is Virtual from all machines with Is Virtual equals yes Get Chassis Type from all machines with Chassis Type contains virtual Get Model from all machines with Model contains Standard PC |
Host name |
Get Computer Name contains VM-PC- from all machines |
Active Directory attributes |
Get AD Query - Computer Attributes[Description] contains " VDI " from all machines Get AD Query - Computer Groups equals VDI from all machines |
MAC address |
Get MAC Address starts with "00:1c:42" from all machines |
IP address |
Get Tanium Client Subnet matches "^192\.168\.(14|16|88|222)\.0\/23$" from all machines Get IP Address matches "^192\.168\.[0-2]\.\d{1,3}$" from all machines |
Hardware |
Get Disk Drive Details having Disk Drive Details:Name equals QEMU HARDDISK ATA Device from all machines |
You can also adjust these settings to increase performance on physical endpoints with hardware specifications near the minimum requirements for the Tanium Client, cloud-hosted endpoints, and endpoints where CPU performance must be prioritized, but the appropriate values depend on your environment and business requirements. For assistance with tuning these settings, contact Tanium Support.
The performance of certain features in some Tanium solutions also depends on the resources available on endpoints. For more information about requirements for specific Tanium solutions, go to https://docs.tanium.com/ and review the documentation for that solution.
Peering settings reference
When Tanium Clients register with
Tanium Client command line interface (CLI)
CLI on Windows endpoints
Tanium Client settings are written to the Windows registry. The executable program for the CLI, TaniumClient.exe, is in the Tanium Client installation directory. The following examples demonstrate useful CLI commands:
- Display TaniumClient.exe syntax, commands, and options: TaniumClient --help
- Display the configuration (config) command syntax and actions: TaniumClient config --help
- Display the current configuration settings: TaniumClient config list
For the complete list of client settings that are configurable using the CLI, see Tanium Client settings reference.
The following example shows how to set and confirm the
cmd-prompt> TaniumClient config set ServerNameList
cmd-prompt> TaniumClient config get ServerNameList
Do not modify the ServerNameList setting, except during initial configuration of the Tanium Client when a tanium-init.dat file that includes the appropriate FQDNs is unavailable, or as directed by Tanium Support.
The following example shows how to configure the connection between Tanium Client 7.4 or later and the Tanium Server to require TLS, and then to confirm that TLS is required:
cmd-prompt> TaniumClient config set TLSMode 1
cmd-prompt> TaniumClient config get TLSMode
1
CLI on non-Windows endpoints
Tanium Client settings are written to an SQLite database. The executable program for the CLI, TaniumClient, is in the Tanium Client installation directory. You must either run it as root or use sudo to elevate permissions. The following examples demonstrate useful CLI commands:
- Display TaniumClient syntax, commands, and options: sudo ./TaniumClient --help
- Display the configuration (config) command syntax and actions: sudo ./TaniumClient config -h
- Display the current configuration settings: sudo ./TaniumClient config list
For the complete list of client settings that are configurable using the CLI, see Tanium Client settings reference.
The following example shows how to set and confirm the
cmd-prompt> sudo ./TaniumClient config set ServerNameList
cmd-prompt> sudo ./TaniumClient config get ServerNameList
Do not modify the ServerNameList setting, except during initial configuration of the Tanium Client when a tanium-init.dat file that includes the appropriate FQDNs is unavailable, or as directed by Tanium Support.
The following example shows how to configure the connection between Tanium Client 7.4 or later and the Tanium Server to require TLS, and then to confirm that TLS is required:
cmd-prompt> sudo ./TaniumClient config set TLSMode 1
cmd-prompt> sudo ./TaniumClient config get TLSMode
1
Last updated: 2/1/2023 11:25 AM | Feedback