Command-line interface

Tanium as a Service does not support a command-line interface.

In Tanium Core Platform 7.1.314.2924 or later, you can configure platform server settings through a command-line interface (CLI). Version 7.3.314.3431 or later is required to use the CLI for configuring platform settings.

Contact Tanium Support for guidance ([email protected]) before you create, edit, or delete platform settings.

Tanium Appliance

For Tanium Appliance deployments, you can use the TanOS menu to read and write the configuration. In rare cases, you might be granted shell access to troubleshoot an issue. The CLI programs are installed in the following locations.

 Table 1: CLI directories for Appliance deployment
Component CLI program location
Tanium Server /opt/Tanium/TaniumServer/TaniumServer
Module Server /opt/Tanium/TaniumModuleServer/TaniumModuleServer
Zone Server /opt/Tanium/TaniumZoneServer/ZoneServer
TDownloader /opt/Tanium/TaniumServer/TaniumTDownloader

For details about the TanOS CLI, see Tanium Appliance Deployment Guide: TanOS command line interface.


For Windows deployments, the Windows Registry is still the canonical source of configuration. You can use the CLI if you need to get or set the configuration using a program.

 Table 2: CLI directories for Windows deployment
Component CLI program location
Tanium Server Program Files\Tanium\TaniumReceiver.exe
Module Server Program Files\Tanium\TaniumModuleServer.exe
Zone Server Program Files (x86)\Tanium\Tanium Zone Server\TaniumZoneServer.exe
TDownloader Program Files\Tanium\Tanium Server\TDownloader.exe
Program Files\Tanium\Tanium Module Server\TDownloader.exe

If necessary, elevate permissions to open the command prompt as administrator.


The following examples show how to use the CLI.

Display help

TaniumReceiver --help
Usage: TaniumReceiver [options] <command> [<args>]

General Options:
  -h [ --help ]         Print this help message
  -v [ --version ]      Print the version
  --verbose             Verbose output

Service Options:
  -i                    Install the service
  -u                    Uninstall the service
  -s                    Start the service
  -e                    Stop the service

Internal Tanium Options - DO NOT USE:
  -d                    Run without daemonizing

  config                Manage configuration
  database              Manages a database
  global-settings       Manages global settings
  license               Manages Deployment License
  pki                   Manages PKI
  python-auth-plugin    Run a python authentication plugin - DO NOT USE
  server-registrations  Manages server registration requests
  test-hsm				Test an HSM configuration
  trust-module-certs    Add trusted Module Server certificates

For help on a specific command run `TaniumReceiver COMMAND -h`

Display config help

cmd-prompt>TaniumReceiver config --help
Usage: TaniumReceiver config <action> [<key>] [<value>]

  config list                         List all keys and non-protected values
  config list-protected               List all keys and values
  config get <key>                    Print non-protected config value
  config get-protected <key>          Print config value
  config set <key> <value>            Set config value and try to guess type
  config set-string <key> <value>     Set string value
  config set-protected <key> <value>  Set protected string value
  config set-number <key> <value>     Set numeric value (in decimal or hex notation)
  config remove <key>                 Remove config value

Example: List configuration settings

When displaying the current settings, note that the CLI output displays (protected) instead of the actual value for settings that are designated as protected, which means they are sensitive in the security sense.

cmd-prompt>TaniumReceiver config list
  - AddressMask: 16777215
  - ConsoleSettingsJSON: C:\Program Files\Tanium\Tanium Server\http\config\console.json
  - DBUserDomain: tam.local
  - DBUserName: taniumsvc
  - LogPath: C:\Program Files\Tanium\Tanium Server\Logs
  - LogVerbosityLevel: 1
  - Logs:
    - Logs.MiniDumpMessages:
      - Logs.MiniDumpMessages.FilterRegex: .*Begin MiniDumper.*
      - Logs.MiniDumpMessages.LogVerbosityLevel: 1
  - ModuleServer: tms1.tam.local,TMS1.tam.local:17477
  - ModuleServerPort: 17477
  - PGDLLPath: C:\Program Files\Tanium\Tanium Server\postgres\bin
  - PKIDatabasePassword: (protected)
  - PGRoot: C:\Program Files\Tanium\Tanium Server\postgres
  - Path: C:\Program Files\Tanium\Tanium Server
  - ProxyPassword: (protected)
  - ProxyPort: 
  - ProxyServer: 
  - ProxyType: NONE
  - ProxyUserid: 
  - SQLConnectionString: postgres:[email protected]=postgres port=5432
  - ServerName:
  - ServerPort: 17472
  - ServerSOAPPort: 443
  - TrustedCertPath: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt
  - TrustedHostList: ts1.tam.local
  - TrustedModuleServerCertsPath: C:\Program Files\Tanium\Tanium Server\trusted-module-servers.crt
  - Version: 7.3.314.4283

Example: Set configuration values

cmd-prompt>TaniumReceiver config set BypassProxyHostList,,localhost,,,10.10.10
cmd-prompt>TaniumReceiver config get BypassProxyHostList,,localhost,,,

Example: Set configuration values

cmd-prompt>TDownloader config set ProxyServer
cmd-prompt>TDownloader config get ProxyServer

Example: Register the Module Server with the Tanium Server

On the Module Server host computer, use the CLI to register with a Tanium Server. Specify a Tanium Console administrator user name and password.

Registration involves copying files between the Module Server and the Tanium Server. Both servers must be reachable when you issue the registration command or the command fails.

After registering the Module Server, you must restart the services for the Tanium Module Server and all Tanium modules and shared services. On the Module Server, open the Windows Services application and, for each service, right-click the service name and select Restart.

cmd-prompt>TaniumModuleServer register -h
Usage: TaniumModuleServer register <server> [opts]

  --server arg                    Tanium Server hostname (optionally including
  --address arg (=TMS1.tam.local) DNS name or IP that the Tanium Server should
                                  use to connect to this Module Server
  --timeout arg (=120)            Registration timeout in seconds
  --user arg                      Administrator username
  --pass arg                      Administrator password (leave blank for
                                  interactive prompt)
  --pass-file arg                 Administrator password protected file
  --trusted-fingerprint arg       Trust the given server certificate
  --json-out arg                  JSON file to output results to

cmd-prompt>TaniumModuleServer register ts2.tam.local
Enter administrator username: TaniumAdmin

Enter password for user 'TaniumAdmin':
Successfully completed registration.

If the Tanium Console has been configured to use a non-standard port, you must specify the port number, as shown in the following example.

cmd-prompt>TaniumModuleServer register ts2.tam.local:8443
Enter administrator username: TaniumAdmin

Enter password for user 'TaniumAdmin':
Successfully completed registration.


If the Tanium Console is not listening on 443 and you do not specify the port in the registration command, the registration results in failure with the message:

Failed to register module server. Failed to authenticate for registration. SSLClientConnection has failed to complete request.

Example: Configure global settings

cmd-prompt>TaniumReceiver global-settings -h
Usage: TaniumReceiver global-settings list|list-all|get|set|set-string|set-numbe

  -c [ --command ] arg  Command to run:
                            get <setting>
                            set <setting> <value>
                            set-string <setting> <value>
                            set-number <setting> <value>
                            set-flags <setting> [public|hidden|read-only|server...]
                            unset-flags <setting> [public|hidden|read-only|server ...]
                            remove <setting>

cmd-prompt>TaniumReceiver global-settings set ReportingTLSMode 0

Example: Add an admin user

cmd-prompt>TaniumReceiver database -h
Usage: TaniumReceiver database create|upgrade|create-admin-user

  -c [ --command ] arg  Command to run:
                            create-admin-user [username] [domain]
			     sqlserver2postgre outputfile

cmd-prompt>TaniumReceiver database create-admin-user admin-recover tam.local