Managing client settings and Index configurations

Tanium Client settings are stored in Windows registry settings on Windows endpoints, or in an SQLite database on non-Windows endpoints.

Do not edit Tanium Client keys and values in the Windows registry. Use one of the methods in Modify client settings to configure client settings.

For the list of client settings that you can review or configure, see Tanium Client settings reference.

You can also use Tanium Client Management to manage Tanium Index configurations, including exclusions and blockout window.

Review client settings

Use any of the methods in this section to review client settings. A setting that has not been configured on a client uses the default value that is configured in the Tanium Console (see Modify default client settings in the Tanium Console), or if no value is configured in the Tanium Console, the default that is listed in the Tanium Client settings reference applies.

Client Health view

Use the Client Health view in the Client Management service to review a summary of client settings that are configured across endpoints or detailed client settings on individual endpoints.

Summary view

Use the main Client Health view to review a summary of client settings that have been changed from their defaults on some endpoints and the count of endpoints on which each setting has been changed.

From the Main menu, go to Administration > Shared Services > Client Management.
From the Client Management menu, go to Client Health.
Click the Settings tab.
(Optional) Select a Computer Group to filter the summary information.

Detail view

Connect directly to an endpoint to view each client setting that has been configured for that endpoint.

In the Direct Connect search box in the Client Health view, enter all or part of an IP address or a computer name.

Matching results are displayed after the search completes.
From the search results, click the computer name to connect to the endpoint.
Click the Configuration tab to view client settings for the endpoint.
When you finish reviewing client health information for the endpoint, click Disconnect to disconnect from the endpoint and return to the client health summary.

Tanium Client Explicit Setting Sensor

Ask a question using the Tanium Client Explicit Setting sensor to review client settings on endpoints. For example, the following question returns the LogVerbosityLevel setting for endpoints that have a computer name that includes Lab:

Get Tanium Client Explicit Setting[LogVerbosityLevel] from all machines with Computer Name contains Lab

For more information about working with question results, see Tanium Interact User Guide: Managing question results.

Command line interface (CLI)

Use the CLI to review client settings locally on an individual endpoint or to retrieve client settings in a script.

Windows: TaniumClient config get <SettingName>
Non-Windows: sudo ./TaniumClient config get <SettingName>

For detailed information about using the CLI, see Tanium Client command line interface (CLI).

Modify client settings

Use any of the methods in this section to modify client settings as necessary.

For the list of client settings that you can configure, see Tanium Client settings reference.

Settings configurations in Client Management

For certain client settings (including all VDI-related settings, and the specific settings noted in the Tanium Client settings), you can use the Client Management service to create settings configurations that apply those settings to different groups of clients. For more information and the steps to create client profiles, see Managing client settings and Index configurations in Client Management.

Packages

Deploy the Modify Tanium Client Setting or Modify Tanium Client Setting [Non-Windows] package to configure a client setting on all targeted endpoints. Because Windows and non-Windows endpoints require separate packages to update settings, repeat the steps for both types of endpoints.

In Interact, ask a question to target the Windows endpoints on which you want to modify a client setting.
Select the endpoints to target and click Deploy Action.

You can drill-down or merge questions to refine the results before selecting endpoints. For more information, see Tanium Interact User Guide: Managing question results.
For Deployment Package, select one of the following packages:
- Modify Tanium Client Setting for Windows endpoints
- Modify Tanium Client Setting [Non-Windows]
Configure the following settings:
- (Windows only) For RegType, select the Windows registry value type that is listed in the Tanium Client settings reference for the setting that you want to modify.
- (Non-Windows only) For Type, select the non-Windows setting type that is listed in the Tanium Client settings reference for the setting that you want to modify.
- For ValueName, enter the name of the setting that you want to modify, as listed in the Tanium Client settings reference.
- For ValueData, enter the value to configure for the setting on targeted endpoints.
For the following frequently used settings, you can use specific packages that let you enter only the value to configure.
- LogVerbosityLevel: Use the Set Windows Tanium Client Logging Level or Set Tanium Client Logging Level [Non-Windows] package.
- ServerName: Use the Set Tanium Server Name or Set Tanium Server Name [Non-Windows] package.
- ServerNameList: Use the Set Tanium Server Name List or Set Tanium Server Name List [Non-Windows] package.
For the frequently used LogVerbosityLevel: setting, you can use the Set Windows Tanium Client Logging Level or Set Tanium Client Logging Level [Non-Windows] package and enter only the value to configure.
(Optional) In the Deployment Schedule section, configure a schedule for the action.

If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.
In the Targeting Criteria section, make sure that the settings target only endpoints that meet the following criteria:
- The targeted endpoints require the updated setting.
- The targeted endpoints run an operating system that matches the selected package (Windows or non-Windows).
Click Show Preview To Continue, review the list of targeted endpoints, and then click Deploy Action.

Clients do not apply the updated setting until you manually restart them or wait for the automatic client reset, which by default is a random interval in the range of 2 to 6 hours.
(Optional) Restart the Tanium Client service on each endpoint to apply the updated setting immediately:
Review the setting on the targeted clients to verify that it has been correctly updated: see Review client settings.

Command line interface (CLI)

Use the CLI to configure client settings locally on an individual endpoint or from a script.

Windows: TaniumClient config set <SettingName> <Value>
Non-Windows: sudo ./TaniumClient config set <SettingName> <Value>

For detailed information about using the CLI, see Tanium Client command line interface (CLI).

Deployment with Client Management

You can configure specific client settings for newly installed clients during deployment with Client Management. For more information, see Create a client configuration.

Deployment using a custom tanium-init.dat file

When deploying Tanium Client 7.4 or later, you can use the Tanium Server REST API to create a custom tanium-init.dat file that includes specific client settings for newly installed clients. See the Tanium Server REST API Reference for information about creating the PKI initialization bundle. If necessary, contact Tanium Support for access to that document.

Modify default client settings in the Tanium Console

Many client settings have a default value that applies when the setting is not configured on a client, as listed in the Tanium Client settings. You can modify the default value for a client setting in the advanced settings in the Tanium Console. This default applies to any managed endpoint that does not have the setting explicitly configured locally.

From the Main menu, go to Administration > Configuration > Settings > Advanced Settings and click the Client tab.
Edit or add a setting as necessary:
- If the setting for which you want to configure a default appears in the list, click the name of the setting, enter a new Value, and click Save.
- If the setting for which you want to configure a default does not appear in the list, click Add Setting, configure the following properties, and click Save:
  - For Setting Type, select Client.
  - For Platform Setting Name, enter the name of the setting from the Tanium Client settings.
  - For Value Type, select Text for a setting that lists "REG_SZ" as the registry value type or "STRING" as the setting type, or select Numeric for a setting that lists "REG_DWORD" as the registry value type or "NUMERIC" as the setting type.
  - For Value, enter the value to use as the default for the client setting.

Managing client settings and Index configurations in Client Management

Use the Client Management service to manage client settings and Index configurations to different groups of clients.

Create and deploy a client settings configuration

Create a settings configuration to configure general client settings for a group of clients.

From the Client Management menu, click Configuration Management > Settings Configurations, and click Create Settings Configuration.

To edit an existing settings configuration, click the name of the configuration, and click Edit. When you edit a configuration, you must manually redeploy it.
Enter a Name for the profile configuration.
Click Select Computer Groups, select the computer groups where you want the settings configuration to apply, and click Save.

Configure the following general client settings.

Setting Name	Description
Cache Size	The size limit, in MB, for the file cache on an endpoint. The default is 2048. For more information, see Chunk caching.
Logging Level	The level of logging on an endpoint. The following values are best practices for specific use cases: 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints. 1 (default): Use this value during normal operation. 41: Use this value during troubleshooting. 91 or higher: Use this value for full logging, for short periods of time only.
Extensions Logging Level	The level of logging for client extensions (such as the Tanium™ Client Recorder Extension and Tanium™ Index) on an endpoint. The following values are best practices for specific use cases: 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints. 11 (default): Use this value during normal operation. 41: Use this value during troubleshooting. 91 or higher: Use this value for full logging, for short periods of time only.

Setting Name

Description

Cache Size

The size limit, in MB, for the file cache on an endpoint. The default is 2048. For more information, see Chunk caching.

Logging Level

The level of logging on an endpoint. The following values are best practices for specific use cases:

0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
1 (default): Use this value during normal operation.
41: Use this value during troubleshooting.
91 or higher: Use this value for full logging, for short periods of time only.

Extensions Logging Level

The level of logging for client extensions (such as the Tanium™ Client Recorder Extension and Tanium™ Index) on an endpoint. The following values are best practices for specific use cases:

0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
11 (default): Use this value during normal operation.
41: Use this value during troubleshooting.
91 or higher: Use this value for full logging, for short periods of time only.

If you are creating a settings configuration that applies to virtual desktop infrastructure (VDI) endpoints, select Enable VDI Settings, and configure the following VDI settings. Configuring these settings on individual endpoints overrides the values configured in Platform Settings (Administration > Configuration > Settings > Advanced Settings) and can reduce resource use on VDI endpoints when you set the best practice values for VDI. For more information about tuning settings for VDI endpoints, see Tuning Tanium Client settings for VDI endpoints and other endpoints with limited resources.

Client Setting	Default Value	Best Practice Value for VDI	Explanation
RandomSensorDelayInSeconds	0	20	By default, sensors run immediately. This setting delays the execution of any sensor by a random time up to 20 seconds, which reduces concurrent execution of sensors and packages.
MaxAgeMultiplier	1	2	Each sensor has a Max Sensor Age setting that determines how long the client caches sensor results for subsequent questions that include the same sensor. This setting causes the client to multiply the maximum age configured for each sensor by 2, which doubles the time results are cached for each sensor and reduces sensor executions.
MinDistributeOverTimeInSeconds	0	60	Each action has a Distribute Over setting that randomizes the distribution of that action over the specified time. By default, no minimum applies, and some actions might be configured for immediate distribution. This setting forces all actions to distribute over at least 1 minute.
SaveClientStateIntervalInSeconds	300	1800	By default, the client state is written to disk every 5 minutes. This setting increases the time to 30 minutes to reduce disk writes.

Click Save.
To deploy the settings configuration to the selected computer groups, click Actions in the row for the configuration, and select Deploy.

Create and deploy an Index configuration

Create an Index configuration to configure Index exclusions and blockout windows for a group of endpoints.

An Index exclusion keeps files and paths that match a regular expression out of file system indexes on endpoints. Excluding unnecessary files from indexing can reduce resource use. For example, consider creating an exclusion if you have an application that writes to a temp file. With an exclusion, the temp file is not indexed and hashed every time it changes.

An Index blockout window prevents Index from indexing and hashing during certain times when endpoints are normally in use, to reduce resource use.

For more information about Index, see Tanium Client Index Extension User Guide.

Index exclusions that you define in Client Management apply globally to all Tanium solutions that use Index, such as Integrity Monitor, Reveal, and Threat Response. Exclusions that you add in other solutions are not visible in Client Management; make sure to view the exclusions in each solution to understand the full list of exclusions that apply for that solution. Furthermore, exclusions defined in Threat Response also apply globally. To remove a global exclusion, it must not remain in either an Index configuration in Client Management or Index exclusions in Threat Response.

Create Index exclusions

First, create a set of Index exclusions that can be reused across multiple Index configurations.

From the Client Management menu, click Configuration Management > Index Exclusions, and click Create Index Exclusion.
Enter a Name for the exclusion.
Select the Operating System where the exclusion applies.
Enter a Regular Expression that identifies the files or paths to be excluded.

For example, to exclude the Windows paging file, swap file, and hibernation file, enter the following regular expression:

\\(pagefile|swapfile|hiberfil)\.sys
Click Save.

Create an Index configuration

From the Client Management menu, click Configuration Management > Settings Configurations, and click Create Index Configuration.

To edit an existing settings configuration, click the name of the configuration, and click Edit. When you edit a configuration, you must manually redeploy it.
Enter a Name for the profile configuration.
Click Select Computer Groups, select the computer groups where you want the settings configuration to apply, and click Save.
In the Index and Hashing Blockout Windows section, configure the times during which you don't want to index and hash files on endpoints.
- Select how the configured times apply on each endpoint:
  - Local Endpoint Time: The configured times apply to each endpoint based on the local time configured on that endpoint. The configured windows occur according to each time zone.
  - UTC: The configured times represent Coordinated Universal Time (UTC). The configured windows occur at the same time on all endpoints according to UTC and regardless of time zones.
- Configure the days and times for blockout windows:
  - (Optional) Click Add Business Hours to add the typical business hours, which you can then edit.
  - Click Add Custom Window to configure days and times for a blockout window.
Click Select Exclusions, select the Index exclusions to apply to this configuration, and click Confirm.
Click Save.
To deploy the Index configuration to the selected computer groups, click Actions in the row for the configuration, and select Deploy.

Prioritize configurations

The order of the configurations in each list determines the priority of each configuration. If multiple configurations target an endpoint, the configuration with the highest priority takes effect on the endpoint. You can reorder the list to adjust the priority of each configuration.

From the Client Management menu, click Configuration Management > Settings Configurations or Configuration Management > Index Configurations, and click Prioritize.
Drag the configurations in the list to reorder them according to priority, and then click Prioritize.