Manage sensor string growth
You can mitigate the impact that question results have on Tanium Server memory and disk usage by setting age limits on the answer strings that the server stores for individual sensors.
To configure sensors so that they generate fewer unique strings and therefore consume less memory and disk space, see the KB article: Best practices for writing sensors.
The Tanium Server stores strings in the <Tanium_Server>/strings folder and loads the strings into memory (the string cache) when it uses them. To prevent string growth from consuming too much space, the server clears a portion of the strings for all sensors when the total strings exceed a default threshold. However, the default string-cleaning settings do not distinguish among sensors in terms of how likely they are to generate strings that are unique and that are used only once. This matters because unique strings consume more space and clearing single-use strings has less impact on server processing and traffic (the Tanium Server does not have to reissue questions to regenerate the strings for future use). For example, the Detect Primary Alerts sensor often generates many unique, single-use strings. To account for these factors, Tanium Server 7.3.314.4101 or later enables you to use the Tanium Console to configure string cleaning for individual sensors based on a Maximum String Age. The server bases string ages on when it last used the strings or received them from Tanium Clients and discards strings that exceed the maximum.
The following procedure describes how to determine which sensors are producing the most string growth and to set the Maximum String Age for those sensors. For most sensors that require a limit, use the default maximum of seven days as a best practice. Setting a lower maximum is required only in rare cases, such as for sensors that produce results containing date or time stamps. The best practice is to avoid including date and time stamps in string results when writing a sensor, because they tend to result in unusually large string growth. However, if such sensors are necessary, you can set the maximum as low as one day for sensors that use date stamps and as low as six hours for sensors that use time stamps. Consult a Tanium Technical Account Manager (TAM) if you are considering setting the Maximum String Age to lower than six hours; only exceptional cases require such limits.
Install the Tanium™ Health Check module if it is not already installed. For details, see Tanium Health Check User Guide: Installing Health Check.
- Access the Tanium Console and go to Tanium Services > Health Check.
- Under Manual Report Generation, click Run TPAN Report Now.
- Under Reports click the HTML link for the Full Report that you just ran.
- At the top of the report, select Environmental Details > String Details.
- Review the grids that list the top sensors by string count and memory usage to determine which sensors produce the most string growth.
- Return to the Tanium Console and go to Content > Sensors. Perform the remaining steps for each sensor that you determine requires a string age limit.
- Select the sensor and click Edit.
- Enable and set the Max String Age.
For almost all sensors, setting the Max String Age will reduce string growth to a manageable level and setting the Max Strings (string count limit) is unnecessary. In extreme cases that might require a string count limit for individual sensors, consult your TAM before setting the Max Strings.
- Save your changes.
- Over the next two days, repeat the steps to run a TPAN report and verify that string counts and memory usage are reduced as expected for the sensors that have string limits. If necessary, set a lower Max String Age for sensors that still produce too much string growth.
Last updated: 11/12/2019 3:19 PM | Feedback