Reference: Tanium Client settings and CLI

Tanium Client settings reference

For information about reviewing and modifying client settings, see Managing client settings.

 Table 1: Tanium Client settings
Setting Name Applies to OS Platforms Windows Registry Value Type Non-Windows Setting Type Description Modify
ClientCacheLimitInMB1 All supported REG_DWORD NUMERIC

The size limit, in MB, for the file cache on an endpoint. The default is 100. For more information, see Chunk caching.

As necessary
ComputerID All supported REG_DWORD NUMERIC Value that Tanium Cloud the Tanium Server assigned to the client to uniquely identify and track each managed endpoint. No
DatabaseEpoch All supported REG_SZ STRING Typically, this setting indicates the date and time when Tanium Cloud the Tanium Server was deployed. No
EnableRandomListeningPort All supported REG_DWORD NUMERIC Tanium Cloud does not support this setting. Enables (1) or disables (0) the randomized selection of a new listening port at intervals. The client uses the port for communications from peer clients. If another application is already using the selected port, the client selects another port immediately instead of at the next interval. For details, see Randomize listening ports. By default, EnableRandomListeningPort is disabled and the client uses a fixed listening port (default is 17472). As necessary
EnableSensorQuarantine All supported REG_DWORD NUMERIC Add this setting and set the value to 1 if you want to enable the enforcement of sensor quarantines on a particular endpoint. By default, the setting is not present and enforcement is disabled. If you already added the setting, you can disable enforcement by setting the value to 0. You can also use the Tanium Console to enable or disable enforcement for all endpoints. For details, see Enable or disable enforcement of quarantined sensors. As necessary
FirstInstall All supported REG_SZ STRING Date and time of the initial Tanium Client installation. No
HostDomainName Non‑Windows N/A STRING Required only when the client does not return the domain name correctly in question results. The value that you specify for this setting overrides the data that the client OS would otherwise return.

Specify just the domain portion of the fully qualified domain name (FQDN). For example, if the FQDN is host.example.com, specify example.com.

As necessary
HostFQDN Non‑Windows N/A STRING Another option (besides HostDomainName) for cases where the client does not return the hostname and domain name correctly in question results. The value that you specify for this setting overrides the data that the client OS would otherwise return.

Specify the complete FQDN, including hostname, such as host.example.com.

As necessary
LastInstall All supported REG_SZ STRING Date and time of latest Tanium Client installation. No
LastGoodServerName All supported REG_SZ STRING The name of the Tanium Cloud instance Tanium Server or Zone Server with which the Tanium Client last connected successfully. If the client cannot reach an instance a server that the ServerNameList or ServerName setting specifies, the client tries to connect to the instance server that LastGoodServerName specifies. You do not set LastGoodServerName; the client defines it automatically.

To avoid this fallback behavior during testing, troubleshooting, or migration scenarios, delete the LastGoodServerName value.

No
ListenPort All supported REG_DWORD NUMERIC This setting indicates the port (17472) on which the client listens for communications from peer clients. The default is 17472. However, if you install the client on the Tanium Server or Zone Server (Windows deployment only), the default port is 17473. If you enable EnableRandomListeningPort, do not configure ListenPort because the client overwrites the value whenever it selects a new port.
Changes to ListenPort automatically affect the Tanium Client API port, which is one port number higher. For example, if you set ListenPort to 17473, the client API port becomes 17474.

ListenPort overrides the ServerPort setting for client-client communication.

As necessary
LogFileSize All supported REG_DWORD NUMERIC The size threshold in bytes that Tanium Client logs must reach before the client rotates them. As necessary
LogPath All supported REG_SZ STRING By default, the Tanium Client writes its logs to the <Tanium Client>/Logs subdirectory. You can use the LogPath setting to define an alternative absolute path for the logs. For example: LogPath=/tmp. As necessary
LogVerbosityLevel1 All supported REG_DWORD NUMERIC

The level of logging on an endpoint. The following values are best practices for specific use cases:

  • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 1 (default): Use this value during normal operation.
  • 41: Use this value during troubleshooting.
  • 91 or higher: Use this value for full logging, for short periods of time only.

By default, this setting is not present if you did not set the logging level when deploying the Tanium Client.

If you are using a package to configure this setting, you can use the Set Windows Tanium Client Logging Level or Set Tanium Client Logging Level [Non-Windows] package.

As necessary
Logs.extensions.LogVerbosityLevel1 All Supported REG_DWORD NUMERIC

The level of logging for client extensions (such as the Tanium™ Client Recorder Extension and Tanium™ Index) on an endpoint. The following values are best practices for specific use cases:

  • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 11 (default): Use this value during normal operation.
  • 41: Use this value during troubleshooting.
  • 91 or higher: Use this value for full logging, for short periods of time only.
 
Path Windows REG_SZ N/A Path to the Tanium Client installation directory. If none is specified, the Tanium Client assumes the default path for the OS. As necessary
ProxyAutoConfigAddress Windows REG_SZ N/A The URL and file name (in the format http[s]://<PAC file URL>/<PAC file name>.pac) of a proxy auto configuration (PAC) file that the Tanium Client can access. The PAC file defines how clients connect to Tanium Cloud the Tanium Server or Zone Server: directly or through a Hypertext Transfer Protocol Secure (HTTPS) proxy server. The client downloads the file from the URL that you specify and runs a script that the file contains to select the correct proxy for connecting to a particular server. If no proxy is available, the client falls back to connecting directly with Tanium Cloud the Tanium Server or Zone Server. For details, see Configure proxy connections with a PAC file. As necessary
ProxyServers All supported REG_DWORD NUMERIC The IP address or FQDN, and port number, of the HTTPS proxy server through which the Tanium Client connects to Tanium Cloud the Tanium Server or Zone Server. You can specify multiple proxies as a comma-separated list in the format "<proxy1>:<port>,...,<proxyN>:<port>". The client tries to connect to the proxies in the order that you list them. After any single connection succeeds, the client stops trying to connect with more proxies. If no proxy is available, the client falls back to connecting directly with Tanium Cloud the Tanium Server or Zone Server. For details, see Configure proxy connections without a PAC file. As necessary
RandomListeningPortExclusions All supported REG_DWORD NUMERIC Tanium Cloud does not support this setting. Specifies ports that the client never selects as a listening port if you enable EnableRandomListeningPort. For example, to prevent port competition conflicts, you might specify ports that other applications use. If you specify multiple exclusions, use a comma to separate each port. By default, the client does not exclude any ports that are within the range that the RandomListeningPortMin and RandomListeningPortMax settings define. As necessary
RandomListeningPortMax All supported REG_DWORD NUMERIC Tanium Cloud does not support this setting. Specifies the high end of the range of ports from which the client randomly selects a listening port if you enabled EnableRandomListeningPort. The default is port 64000. As necessary
RandomListeningPortMin All supported REG_DWORD NUMERIC Tanium Cloud does not support this setting. Specifies the low end of the range of ports from which the client randomly selects a listening port if you enabled EnableRandomListeningPort. The default is port 32000. As necessary
RandomListeningPortTTLInHours All supported REG_DWORD NUMERIC Tanium Cloud does not support this setting. Specifies the interval in hours at which the client selects a new listening port if you enabled EnableRandomListeningPort. The default is 24 hours. Do not set the value lower than the client reset interval, which by default is a random interval in the range of 2 to 6 hours. As necessary
RegistrationCount All supported REG_DWORD NUMERIC Count of completed registrations. This value, in conjunction with the ComputerID, enables Tanium Cloud the Tanium Server to detect duplicate Computer IDs. If the RegistrationCount value that Tanium Cloud the Tanium Server maintains does not match the value that the client reports, Tanium Cloud the server assigns a new, unique ComputerID to the endpoint to resolve the apparent ComputerID duplication. For details, see Registration and ComputerID. No
ReportingTLSMode, OptionalTLSMinAttemptCount, OptionalTLSBackoffIntervalSeconds, OptionalTLSMaxBackoffSeconds, Server_ReportingTLSMode, Server_OptionalTLSMinAttemptCount, Server_OptionalTLSBackoffIntervalSeconds, Server_OptionalTLSMaxBackoffSeconds All supported REG_DWORD NUMERIC Tanium Cloud automatically manages all TLS settings for the Tanium Client. Tanium Core Platform supports TLS communication for connections from Tanium Clients to the Tanium Server or Zone Server. Tanium Core Platform 7.4 or later also supports TLS communication between Tanium Client 7.4 peers. For details, see the Tanium Core Platform Deployment Reference Guide: Setting up TLS communication. As necessary
Resolver Non‑Windows N/A STRING Program to invoke for resolving the IP address of Tanium Cloud the Tanium Server. The default is getent. For AIX and Solaris, set this to nslookup. The options are as follows: getent, getenta, host, nslookup, dig, and res_search. As necessary
ServerName All supported REG_SZ STRING

FQDN or IP address of the Tanium Cloud instance Tanium Server or Zone Server with which the client tries to connect. For details, see ServerName.

If you are using a package to configure this setting, you can use the Set Tanium Server Name or Set Tanium Server Name [Non-Windows] package.

As necessary
ServerNameList All supported REG_SZ STRING

A comma-separated list of Tanium Server and Zone Server FQDNs or IP addresses for the Tanium Cloud instances with which the client can try to connect. For details, see ServerNameList.

If you are using a package to configure this setting, you can use the Set Tanium Server Name List or Set Tanium Server Name List [Non-Windows] package.

As necessary
ServerPort All supported REG_DWORD NUMERIC

The port to use for client-server and client-client communication. The default is 17472. For details, see ServerPort.In Tanium Cloud, the port is always 17472.

If you configure the ListenPort or EnableRandomListeningPort setting, it overrides ServerPort for client-client communication.

As necessary No
StateProtectedFlag All supported REG_DWORD NUMERIC

Enables encryption of the client state and sensor queries stored on the client

By default, read access to the Tanium Client directory is restricted for non-Administrators. However, encrypting the client state and sensor queries can provide additional protection.

For information about additional measures to protect the Tanium Client on Windows endpoints, see Harden the Tanium Client on Windows.

As necessary
Version All supported REG_SZ STRING Tanium Client version number. No
1 You can apply this setting using a client profile in Tanium Client Management: see Managing client settings using profiles.

Tuning Tanium Client settings for VDI endpoints and other endpoints with limited resources

If you are deploying the Tanium Client to virtual desktop infrastructure (VDI) instances or other endpoints with limited resources, you might need to adjust certain client settings to help to reduce resource usage. The following table lists the best practice adjustments to client settings for VDI instances. These settings help avoid concentrated resource usage on shared hardware. All settings in the following table are of the registry type REG_DWORD for Windows, or of the type NUMERIC for non-Windows.

 Table 2: Best practice client settings for VDI instances
Client Setting Default Value Best Practice Value for VDI Explanation
RandomSensorDelayInSeconds 0 20 By default, sensors run immediately. This setting delays the execution of any sensor by a random time up to 20 seconds, which reduces concurrent execution of sensors and packages.
MaxAgeMultiplier 1 2 Each sensor has a Max Sensor Age setting that determines how long the client caches sensor results for subsequent questions that include the same sensor. This setting causes the client to multiply the maximum age configured for each sensor by 2, which doubles the time results are cached for each sensor and reduces sensor executions.
MinDistributeOverTimeInSeconds 0 60 Each action has a Distribute Over setting that randomizes the distribution of that action over the specified time. By default, no minimum applies, and some actions might be configured for immediate distribution. This setting forces all actions to distribute over at least 1 minute.
LogVerbosityLevel 1 0 Disable logging to reduce disk writes. Temporarily re-enable logging on individual endpoints for troubleshooting.
Logs.extensions.LogVerbosityLevel 11 0 Disable Tanium™ Client Extensions logging to reduce disk writes. Temporarily re-enable logging on individual endpoints for troubleshooting.
SaveClientStateIntervalInSeconds 300 1800 By default, the client state is written to disk every 5 minutes. This setting increases the time to 30 minutes to reduce disk writes.

You can apply these settings using a client profile in Tanium Client Management: see Managing client settings using profiles.

To identify existing VDI clients for tuning, ask a question appropriate for your environment, and then drill down as necessary. The following table lists example questions that you might ask to identify VDI clients.

 Table 3: Example questions to identify VDI clients
Identification method Example question
Model

Get Is Virtual from all machines with Is Virtual equals yes

Get Chassis Type from all machines with Chassis Type contains virtual

Get Model from all machines with Model contains Standard PC

Host name

Get Computer Name contains VM-PC- from all machines

Active Directory attributes

Get AD Query - Computer Attributes[Description] contains " VDI " from all machines

Get AD Query - Computer Groups equals VDI from all machines

MAC address

Get MAC Address starts with "00:1c:42" from all machines

IP address

Get Tanium Client Subnet matches "^192.168.(14|16|88|222)/23$" from all machines

Hardware

Get Disk Drive Details having Disk Drive Details:Name equals QEMU HARDDISK ATA Device from all machines

You can also adjust these settings to increase performance on physical endpoints with hardware specifications near the minimum requirements for the Tanium Client, cloud-hosted endpoints, and endpoints where CPU performance must be prioritized, but the appropriate values depend on your environment and business requirements. For assistance with tuning these settings, contact Tanium Support.

The performance of certain features in some Tanium solutions also depends on the resources available on endpoints. For more information about requirements for specific Tanium solutions, go to https://docs.tanium.com/ and review the documentation for that solution.

Peering settings reference

When Tanium Clients register with Tanium Cloud the Tanium Server, they also receive values for settings that relate to peering and sensor data. Clients write these settings to the Status registry subkey on Windows endpoints and to the SQLite database (client.db) on non-Windows endpoints. You do not edit these settings, but their values might help you understand expected behavior when troubleshooting peering. You can ask questions to see the values of some of these settings: see Use questions to review peering settings. Contact Tanium Support for more assistance.

 Table 4: Tanium Client peer settings
Setting Name Description
BackPeerAddress Address details for the current backward peer. Use the Tanium Back Peer Address sensor (Client Management content set) to see the value for this setting.
BackPreviousPeerAddress Address details for the previous backward peer.
BufferCount Number of buffered messages that are currently queued for the Tanium Client to process. Use the Tanium Buffer Count sensor (Client Management content set) to see the value for this setting.
ClientAddress Address details for the client host endpoint. Use the Tanium Client IP Address sensor (Base content set) to see the value for this setting.
NeighborhoodList Connection details that Tanium Cloud the Tanium Server provides for up to ten forward and ten backward peers. Use the Tanium Client Neighborhood sensor (Client Management content set) to see neighborhood information.
PeerAddress Address details for the current forward peer. Use the Tanium Peer Address sensor (Client Management content set) to see the value for this setting.
PreviousPeerAddress Address details for the previous forward peer.
StaleCount Count of sensors with stale data.
StaleList List of sensors with stale data.

Tanium Client command line interface (CLI)

CLI on Windows endpoints

Tanium Client settings are written to the Windows registry. The executable program for the CLI, TaniumClient.exe, is in the Tanium Client installation directory. The following examples demonstrate useful CLI commands:

  • Display TaniumClient.exe syntax, commands, and options: TaniumClient --help
  • Display the configuration (config) command syntax and actions: TaniumClient config --help
  • Display the current configuration settings: TaniumClient config list

For the complete list of client settings that are configurable using the CLI, see Tanium Client settings reference.

The following example shows how to set and confirm the fully qualified domain names (FQDNs) ofTanium Cloud instances the Tanium Server with which the Tanium Client can connect in an active-active deployment:

cmd-prompt> TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.tam.local,ts2.tam.local

cmd-prompt> TaniumClient config get ServerNameList

taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.tam.local,ts2.tam.local

The following example shows how to configure the connection between Tanium Client 7.4 or later and the Tanium Server to require TLS, and then to confirm that TLS is required:

cmd-prompt> TaniumClient config set TLSMode 1

cmd-prompt> TaniumClient config get TLSMode

1

CLI on non-Windows endpoints

Tanium Client settings are written to an SQLite database. The executable program for the CLI, TaniumClient, is in the Tanium Client installation directory. You must either run it as root or use sudo to elevate permissions. The following examples demonstrate useful CLI commands:

  • Display TaniumClient syntax, commands, and options: sudo ./TaniumClient --help
  • Display the configuration (config) command syntax and actions: sudo ./TaniumClient config -h
  • Display the current configuration settings: sudo ./TaniumClient config list

For the complete list of client settings that are configurable using the CLI, see Tanium Client settings reference.

The following example shows how to set and confirm the FQDNs of Tanium Cloud instances the Tanium Server with which the Tanium Client can connect in an active-active deployment:

cmd-prompt> sudo ./TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.tam.local,ts2.tam.local

cmd-prompt> sudo ./TaniumClient config get ServerNameList

taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.tam.local,ts2.tam.local

The following example shows how to configure the connection between Tanium Client 7.4 or later and the Tanium Server to require TLS, and then to confirm that TLS is required:

cmd-prompt> sudo ./TaniumClient config set TLSMode 1
cmd-prompt> sudo ./TaniumClient config get TLSMode
1