Monitoring applications

Application monitoring allows you to monitor the performance of key applications with real-time metrics whether endpoints are online or offline. With the continuous monitoring of specific processes, you can ensure applications are functioning properly while maintaining visibility into issues that may impact endpoints. Use the provided common applications or configure your own custom applications to monitor a wide range of process groups, including single applications, software suites, task management tools, communication platforms, or IT deployed agents.

Before you begin

  • To view and configure application monitoring, your Tanium license must include Tanium Engage.
  • Tanium Interact 2.15 or later is required.
  • To ensure the configuration is targeting the correct processes, Tanium Performance application monitoring uses the process group name. This is because it's not always possible to derive the name of the process based on the application name. Endpoints can alter process names based on the process group configuration. See Configure application monitoring for details.

Application monitoring introduces new metric types designed to provide more granular visibility into the performance of applications. Although this monitoring should have minimal impact on endpoints, it is recommended you begin by monitoring only a few applications and then gradually expanding to more.

Configure application monitoring

  1. From the Performance menu, go to Application Monitoring.

  2. Select the Applications tab.
  3. Click the Add Application button.
  4. In the Definition section, configure the following:
    • Common Applications - Select from the provided list of applications. When you select an application, the Name and Processes fields are automatically populated with data.
      • Name - The name of the selected application appears here.
      • Processes - This is the process group name for the selected application. Click the Add Process button to manually enter another process group name to the list for this application.

        • When entering the process group name, note that it is case sensitive.

    • Custom - Select Custom from the list of applications to configure your own applications.
      • Enter a Name for the application.

        • Enter a Name that matches the name found by the Installed Applications sensor. The Installed Applications sensor uses this name to match the application to its version number. If the name of the application and Installed Applications sensor results don't match, the application version column in the report will remain empty.

        You cannot change the name of a monitored application once it has been enabled. You can update the processes associated with the application and toggle monitoring to enable and disable monitoring, but you cannot change the name. Changing the name could cause inconsistencies in the metrics.

      • Enter one or more process groups in the Processes section. Process group name is case sensitive.

      • If you're unsure of the process group name, use Tanium Direct Connect to find the name of the process group running on the endpoint. You may need to unhide the Process Group Name column.

      You cannot configure more than 30 monitored applications by default. It is recommended that you do not change this limit, however, it is configurable in Performance Settings , with an upper limit of 100.

  5. Leave the Enable Monitoring check box selected to initiate monitoring when profiles are deployed. Clear the check box to save the configuration but begin monitoring at a later time. You can enable or disable monitoring at any time by selecting the Edit button for the application in the list view and toggling the Enable Monitoring check box.
  6. Click Add.

Configuration changes do not take effect until profiles are deployed to targeted endpoints. Click Deploy All Profiles when the message appears on the Application Monitoring page or go to Performance > Profiles.

When you delete or disable an application, historical data for that application's processes will continue to appear in the charts for a period of time.

View the monitoring applications dashboard

The Application Monitoring Dashboard tab contains charts with metrics in a visual format for monitored applications. You can filter the charts by Computer Groups, Applications, and Timeframe.

See the Reference section for information on how metrics are collected and calculated.

  1. From the Main menu, go to Performance > Monitored Applications.

  2. In the Dashboard tab, view the following charts:

    Applications with Most Crashes

    This chart provides information about applications on endpoints in the defined computer groups that reported the most crashes. Data displayed here represents the last recorded data point for the selected timeframe. Click on an application in the list to go to another view with more details on that application. If there have been no application crashes, this chart displays a zero.

    Total Daily Application Crashes Over Time

    This graph illustrates the number of crashes listed by date. Data displayed here represents all available data points for the selected timeframe. Hover over a date to see the list of applications that crashed. Click on an application to go to another view with more details on that application.

    Applications with Highest CPU Usage

    This chart provides information about applications on endpoints in the defined computer groups that reported the most CPU usage (percent utilization, out of 100). Data displayed here represents the last recorded data point for the selected timeframe. Click on an application in the list or hover over a bar in the chart and click to go to another view with more details on that application.

    Average Daily CPU Usage Over Time

    This graph illustrates the percentage of CPU usage by date (percent utilization, out of 100). Hover over a date to see the list of applications sorted by CPU usage. Data displayed here represents all available data points for the selected timeframe. Click on an application to go to another view with more details on that application.

    Applications with Highest Memory Usage

    This chart provides information about applications on endpoints in the defined computer groups that reported the most memory usage (percent utilization, out of 100). Data displayed here represents the last recorded data point for the selected timeframe. Click on an application in the list hover over a bar in the chart and click to go to another view with more details on that application.

    Average Daily Memory Usage Over Time

    This graph illustrates the percentage of memory usage by date (percent utilization, out of 100). Data displayed here represents all available data points for the selected timeframe. Hover over a date to see the list of applications sorted by memory usage. Click on an application to go to another view with more details on that application.

  3. When viewing the application monitoring charts, the following options are available:
    • In the header of the section, select a Computer Group, Application, and Timeframe to apply to all charts in the section. Note that in the bar charts, only the state at the end of the selected timeframe is shown. Also note that some charts might not contain data for the selected filters.
    • Chart data automatically refreshes every two minutes when the browser tab is open.
    • Click the name of a chart to open the report that supplies the data to the chart. For available options when viewing a report, see Tanium Reporting user guide: View reports.
    • Click any data point on a chart to view the data in a report.

View metrics by application

  1. From the Main menu, go to Performance > Monitored Applications.

  2. In the Dashboard tab, click on an application that appears in any of the charts to view more in-depth details. The following tabs are available in the application details view:

    3. Empty cells in a report indicate that the application being monitored has not run on the endpoint.

    Dashboard

    The same charts available for all monitored applications are available for the selected application. You can filter by Computer Groups and Timeframe.

    Report - Crashes

    View a table of application crashes with data listed by Computer Name, Performance Score, Daily Application Crashes, Criticality, OS Platform, and Model. Click the Customize columns icon to select additional columns to be included. For information about criticality levels, see Tanium Criticality User Guide: Criticality overview. Click the Export icon to export data to a CSV file.

    Report - CPU usage

    View a table of CPU usage with data listed by Computer Name, Performance Score, Average Daily CPU, CPU Details-Total Logical Processors, Criticality, OS Platform, and Model. Click the Customize columns icon to select additional columns to be included. For information about criticality levels, see Tanium Criticality User Guide: Criticality overview. Click the Export icon to export data to a CSV file.

    Report - Memory Usage

    View a table of memory usage with data listed by Computer Name, Performance Score, Average Daily Memory, Total Memory, RAM Max Capacity, RAM Slots Used and Unused, Criticality, OS Platform, and Model. Click the Customize columns icon to select additional columns to be included. For information about criticality levels, see Tanium Criticality User Guide: Criticality overview. Click the Export icon to export data to a CSV file.

    Configuration

    View a summary of the application configuration, including monitored processes and monitoring dates.

Use report controls

The tabs that contain reports use filters and controls found in reports throughout Tanium. For available options when viewing a report, see Tanium Reporting user guide: View reports. Use the search, filter, and sort controls to quickly find information in the table.

  • Enter a value in the Filter items field to show rows with matching text in any column.
  • Filter by Endpoints Last Seen within a specified time frame.
  • To add advanced filters, expand Filters and then add individual or groups of filters. You can then add filters in rows and groups.
    • To add an individual filter, click + Row, select a source, operator, and value that endpoints must match, and then click Apply.
    • To add related filters, click + Grouping. For each filter, select a source, operator, and value that endpoints must match, and then click Apply. Select this option to nest a Boolean operator and then add rows or more groups to build the nested expression.
  • To filter the report by a particular cell, hover over the cell, click Options Options, and click Filter by value Filter
  • To copy the contents of a single cell, hover over the cell, click Options Options, and click Copy Cell Value Copy.

Reference

This section is intended to provide an overview of how application metrics are collected and calculated.

Application monitoring and metrics collection begin when the configuration is received by the endpoint. Metrics cannot be collected retroactively.

For application monitoring, the endpoint collects CPU and memory metrics for all processes (grouped by process group) every 15 seconds and stores those in the Time Series Database (TSDB). Then every 5 minutes, averages for CPU and memory for each monitored application are collected by aggregating the stored values found in the TSDB.

The following metrics are calculated as described below:

  • Application crashes - Every 5 minutes the Tanium Client checks the count of crashes that occurred for an application counted back to midnight UTC. This count includes zeros. Note that a value of zero application crashes does not imply that an application has run on the endpoint.

  • CPU usage - Every 5 minutes the Tanium Client calculates the average CPU usage rate for an application back to midnight UTC in 60 second blocks. This rate excludes zeros, and therefore if there are spans of time without application usage, that will not cause the average to approach zero.

  • Memory usage - Every 5 minutes the Tanium Client checks the resident memory usage for an application back to midnight UTC in 60 second blocks. This rate excludes zeros, and therefore if there are spans of time without application usage, that will not cause the average to approach zero.

For reporting, TDS harvests performance application health data every 30 minutes. The data in TDS is reflected in the reports. Graphs that display time series data are updated once a day. Bar charts that use TDS directly update along with the reporting information.