This documentation includes content for releases that might not be available on-premises. For the latest on-premises Performance documentation, see the PDF version of Tanium™ Performance User Guide version 1.13.245.
Reference: Event Rules
Use event rules to specify the heuristic parameters for which the targeted endpoints report performance events.
You can configure these event rules:
Profiles and the event rules that they contain do not determine what data is collected on endpoints. The same data is monitored on all endpoints that a profile targets. Profiles determine which conditions on the endpoint generate a negative performance event.
After you add an event rule to a profile, select and configure the heuristics that you want to monitor.
Application Crashes
You can monitor this event rule on Windows and macOS endpoints.
This event rule monitors the Windows Event Log for targeted Windows endpoints and DiagnosticsReports for targeted macOS endpoints. An event occurs if an application crashes.
Available Memory
You can monitor this event rule on Windows, macOS, and Linux endpoints.
You can create event rules for available memory by MB, percentage of total memory, or both.
Available Memory is a measurement of the amount of memory available to be immediately allocated to programs. Paging occurs when an endpoint runs low on available memory, which puts a load on disks and might result in workstation slowdowns or hangs. Monitor available memory to detect when programs might not have enough available memory to run without paging.
In the Duration field, specify the amount of time that the specified conditions must be present to trigger a performance event.
CPU Critical
The CPU Critical event rule contains three heuristics:
- CPU Utilization and Kernel Time monitoring is supported Windows, macOS, and Linux endpoints. With this heuristic, you can monitor:
- CPU Utilization: Monitor CPU utilization to detect CPU contention.
- Kernel Time: Monitor kernel time to detect when the CPU is spending too much time on kernel mode operations.
CPUs operate in two modes: kernel mode and user mode. Kernel mode is typically used for core operating system functions, I/O, and filter driver operations. If the CPU on an endpoint spends the majority of time on kernel mode operations, little CPU time is available for user mode operations, which might cause a negative performance condition.
- DPC time monitoring is supported only for Windows endpoints.
If you configure an event rule for DPC time, processor DPC for targeted endpoints is monitored. Specify the highest DPC time that is allowed on an endpoint before a performance event occurs. An unusually high amount of time spent on deferred procedure calls on an endpoint could indicate a processor bottleneck or driver problem.
- Load Average monitoring is supported only for macOS and Linux endpoints.
If you configure an event rule for Load Average, the load average for targeted endpoints is monitored. Specify the load average that is allowed on an endpoint before a performance event occurs.
The load average is an exponential average of the number of processes in a running or waiting state. This metric is a standard UNIX method for detecting CPU contention. This rule monitors the 15 minute load average for the CPU. If the load average is equal to the number of cores on an endpoint, the CPU usage is at its maximum capacity.
In the Duration field, specify the amount of time that the specified conditions must be present to trigger a performance event.
Disk Capacity
You can monitor this event rule on Windows, macOS, and Linux endpoints.
You can create an event rule for free disk space by MB, percentage of total disk capacity, or both.
Disk capacity is a measurement of the free space on the disk. When disks run low on space, fragmentation increases. Fragmented disks contribute to slow response times.
Disk Latency
You can monitor this event rule on Windows, macOS, and Linux endpoints.
You can create event rules for Read Latency, Write Latency, or both.
Disk latency is a measurement of the average amount of time that a disk operation (read or write) takes to complete. Acceptable values vary by drive.
In the Duration field, specify the amount of time that the specified conditions must be present to trigger a performance event.
System Crashes
You can monitor this event rule only on Windows endpoints.
This event rule monitors the Windows System and Event Logs for targeted endpoints. An event occurs if the system crashes.
Last updated: 3/27/2023 3:32 PM | Feedback