Configuring recorded events

The Client Recorder extension collects data from different sources depending on the operating system of the endpoint. For more information on the sources of event data for each operating system, see Sources of Client Recorder extension data. Each data source provides event information into a queue in a generic format. The Client Recorder extension then converts the generic events into a format that can be written to a database or other data stream. If necessary, the Tanium Client can manage resources.

Configure the events that the Client Recorder extension records by defining a subscription. Every subscription registered to the Client Recorder extension is saved in the recorder directory as a json file. Beginning with Client Recorder extension 2.2, if the subscription contains any signals Intel, this JSON file is encrypted.

There are several types of subscriptions, such as subscriptions for databases and journals. A subscription has a name, a target domain and an array of streams. The stream configures the types of events that you want to record. For example, a database subscription has an array of event_filters that define which types of events the Client Recorder extension writes to a database. Each event_filter has an array of terms. The terms are joined by a logical AND; for example, process and process.path contains not 'C:\Program Files' to include all process paths with the exception of those that are in C:\Program Files. All event_filters are joined by a logical OR; for example, process and (process.path contains not 'C:\Program Files' and process.path contains not 'C:\Windows' and process.path contains not 'C:\Users').

The following match criteria are supported by the Client Recorder extension:

process.path

process.cmd

process.hash

process.user_name

process.user_group

process.parent_path

process.parent_cmd

process.ancestry_path

process.ancestry_cmd

process.ancestry_hash

process.ancestry_user_name

process.ancestry_user_group

registry.name

registry.value

file.path

file.operation

network.addr

network.port

dns.query

image.path

image.hash

security_event.id

When the conditions that you have configured the Client Recorder extension with are met, storable events are committed to the database (for a database subscription) or other data stream. The output format for a database subscription is a SQLlite database named recorder.db.

When you update a recorder subscription and register it with the Client Recorder Extension, the recorded events are updated without restarting the Client Recorder Extension. For more information, see Client Recorder Extension commands.

Modules that use the Client Recorder Extension provide a default configuration that is registered with the Client Recorder Extension when you install them.

Changing configuration settings can have serious, and sometimes irrevocable consequences.

Global configurations

The auditctl --backlog_wait_time 0 is added to all Linux configurations. On newer kernels (> 3.14) the backlog_wait_time setting can cause a kernel panic. Setting this value to zero by default is a preventative measure to mitigate unstable kernel performance.

Client Recorder Extension configuration settings

To understand how to apply Client Recorder Extension configuration settings, refer to any “Recorder” packages installed alongside the Client Recorder Extension. These packages demonstrate how to provide commands. For example ‘Recorder - Clear Subscriptions [Windows]’ demonstrates the use of the recorder command ‘recorder.uninstall’.

CX.recorder.AudispdMaxRestarts

Minimum audispd max restarts.

Default value: 10

CX.recorder.AudispdMaxRestartsWrite

Allow the recorder to use the value set in AudispdMaxRestarts to update audispd.conf

Default value: 0

CX.recorder.AudispdOverflowAction

audispd overflow action.

CX.recorder.AudispdOverflowActionWrite

Allow the recorder to use the value set in AudispdOverflowAction to update audispd.conf

Default value: 0

CX.recorder.AudispdPriorityBoost

Minimum audispd priority_boost.

Default value: 4

CX.recorder.AudispdPriorityBoostWrite

Allow the recorder to use the value set in AudispdPriorityBoost to update audispd.conf

Default value: 0

CX.recorder.AudispdQueueDepth

Minimum audispd q_depth.

Default value: 32768

CX.recorder.AudispdQueueDepthWrite

Allow the recorder to use the value set in AudispdQueueDepth to update audispd.conf

Default value: 1

CX.recorder.AuditDMaxWatchedPaths

Maximum number of individual paths watched before giving up and watching root.

Default value: 50

CX.recorder.AuditdDisableKernelPanicProtection

Allow recorder to run when auditd is in panic failure mode.

Default value: 0

CX.recorder.AuditdEnableAudispdFallback

Allow getting events from audispd/TaniumAuditPipe. Run the Recorder - Set Recorder Extension Setting [Linux] package to enable this setting.

Default value: 1

CX.recorder.AuditdEnableAuditd

The Client Recorder Extension connects to auditd by default. Disabling this setting results in the inability to record security events.

Default value: 1

CX.recorder.AuditdEnableAuditdConfMigration

Allow automatic migration of older auditd configs that prevent auditd from working properly with the recorder

Default value: 1

CX.recorder.AuditdEnableForkTracking

Enable/Disable tracking of forks

Default value: 1

CX.recorder.AuditdEnableIncomingNetwork

Enable Auditd incoming Network Monitoring. 0 is disabled

Default value: 1

CX.recorder.AuditdEnableNetlink

Enable Auditd Netlink

Default value: 1

CX.recorder.AuditdEnableOutgoingNetwork

Enable Auditd outgoing Network Monitoring. 0 is disabled

Default value: 1

CX.recorder.AuditdEnableRawLoggingRuleLoading

Enable/Disable loading of tanium rules if raw logging is detected on

Default value: 0

CX.recorder.AuditdEnableResolveLocalAddress

Enable/disable resolving local network address. 0 is disabled.

Default value: 1

CX.recorder.AuditdRawLogging

Allow recorder to update auditd.conf raw logging configuration.

AuditdRawLogging (1) = Recorder will turn ON raw logging in auditd.conf. Recorder will restart auditd if a setting is changed in auditd.conf.

AuditdRawLogging (0) = Recorder will turn OFF raw logging in auditd.conf. Recorder will restart auditd if a setting is changed in auditd.conf.

Default value: 0

CX.recorder.AuditdRawLoggingWrite

Allow Recorder to set the value that is configured in AuditdRawLogging. This must be set to 1 in order for recorder to use the value defined in AuditdRawLogging. If AuditdRawLoggingWrite is set to 0, any configuration set in AuditdRawLogging will not be used.

If another tool is being used to manage auditd.conf, these AuditdRawLoggingWrite should either be not defined or set to 0 so that Tanium Recorder does not modify auditd.conf

Default value: 0

CX.recorder.AuditdRulesBufferSize

Buffer size set in audit rules

Default value: 32768

CX.recorder.AuditdRulesDisableWatchSpecificPaths

Watch specific paths driven by subscription in auditd.

Default value: 0

CX.recorder.AuditdStopAuditdService

Stops the auditd service. For example, stops the auditd service so recorder can use the unicast or multicast netlink socket. Run the Recorder - Set Recorder Extension Setting [Linux] package to enable this setting. 

Default value: 0

CX.recorder.BPFEnableBPF

Enables eBPF as an event source on Linux endpoints. 0 is disabled

Default value: 1

CX.recorder.ConfigRefreshConfigIntervalMins

How often to forceably refresh operating system config state.

Default value: 60

CX.recorder.ConfigRefreshIntervalSecs

How often to refresh configuration updates in seconds.

Default value: 300

CX.recorder.CpuThrottleCalculateTotalSystem

Calculate CPU utilization as a function of total system capacity not a single CPU

Default value: 1

CX.recorder.CpuThrottleMaximumSampleMilliseconds

Maximum time (ms) between samples for the CPU throttle check

Default value: 5000

CX.recorder.CpuThrottleMinimumSampleMilliseconds

Minimum time (ms) between samples for the CPU throttle check

Default value: 250

CX.recorder.CpuThrottleTargetPercent

Target maximum CPU (% total system capacity) for the extensions process

Default value: 5

CX.recorder.DatabaseChunkSize

Size of chunks in MB allocated from the filesystem when the database size increases.

Default value: 100

CX.recorder.DatabaseCleanContinueIntervalMs

Database Cleaning millisecond interval between cleaning each table.

Default value: 100

CX.recorder.DatabaseCleanIntervalSecs

Interval in seconds for the amount time to wait between each database cleaning operation.

Default value: 300

CX.recorder.DatabaseMaxCleanPercent

Maximum percent of the database to clean per cleaning. (50) for 50%

Default value: 50

CX.recorder.DatabaseMaxSizeMB

Max size of the database before cleaning in MB.

Default value: 1024

CX.recorder.DatabaseMinCleanPercent

Minimum percent of the database to clean per cleaning. This will clean at least this amount each time the database is over the target size.

Default value: 5

CX.recorder.DatabaseReset

Delete database on startup this setting will reset automatically when database has been resetted.

Default value: 0

CX.recorder.DatabaseStatsUpdateSecs

Number of seconds between updating the database statistics used in metrics and cleaning.

Default value: 60

CX.recorder.DeleteLegacyDatabaseAfterDays

Time to wait since the recorder database is created before deleting legacy database

Default value: 14

CX.recorder.DeleteLegacyDatabaseFreeMB

Required free space to be available to keep legacy monitor.db around.

Default value: 1024

CX.recorder.DigestBufferSizeKB

Buffer size for Index file read and digest calculation in KB

Default value: 64

CX.recorder.DisableResourceMonitor

Disable resource monitor

Default value: 0

CX.recorder.EmitFileWriteIntervalSecs

The interval between emitting file write events for the same file handle.

Default value: 30

CX.recorder.EnableEtw

Enable Windows ETW events.

Default value: 1

CX.recorder.EnableEtwDns

Enable Windows ETW for DNS Events

Default value: 1

CX.recorder.EnableEtwFile

Enable Windows ETW for File Events

Default value: 1

CX.recorder.EnableEtwNetwork

Enable Windows ETW for Network Events

Default value: 1

CX.recorder.EnableEtwProcess

Enable Windows ETW for Process Events

Default value: 1

CX.recorder.EnableEtwRegistry

Enable Windows ETW for Registry Events

Default value: 1

CX.recorder.EnableEtwSysmon

Enable Windows ETW for Sysmon Events

Default value: 0

CX.recorder.EnableEtwTaniumDriver

Enable Windows ETW for Tanium Driver Events

Default value: 1

CX.recorder.EnableEvt

Enable Windows Eventlog events.

Default value: 1

CX.recorder.EnableKEtw

Enable Windows Kernel ETW events.

Default value: 1

CX.recorder.EnableLibraryHashing

Enabling hashing of library load events.

Default value: 1

CX.recorder.EnableMacBSM

Enable BSM on macOS.

Default value: 1

CX.recorder.EnableMacEXESigCheck

Enable checking executables for signatures on macOS.

Default value: 1

CX.recorder.EnableMacFSEvents

Enable FSEvents on macOS.

Default value: 1

CX.recorder.EnableMacKext

Enable kext load events on macOS.

Default value: 1

CX.recorder.EnableMacPKTAP

Enable PKTAP on macOS.

Default value: 1

CX.recorder.EnableMisconfiguredAuditPolicyHealthCheck

Threat Response profiles for Windows endpoints enable capturing specific sets of event IDs. Sometimes client audit policies can not be configured properly to ensure all relevant events are generated. The EnableMisconfiguredAuditPolicyHealthCheck setting provides a way to detect when this happens. By default, this setting is disabled. Clients generate a health check when this option is enabled. When viewing the logs, you may see content where a single event id might actually apply to multiple audit policy categories. It is possible in some situations to see what appears to be unrelated audit policy check failures.

Default value: 0

CX.recorder.EnableSignalSubscriptionProtection

Enable data protection for signal intel subscriptions.

Default value: 1

CX.recorder.EnableSubscriptionProtection

Enable data protection for recorder subscriptions.

Default value: 0

CX.recorder.EnableWinDLLSigCheck

Enable checking all loaded DLLs for signatures on Windows.

Default value: 1

CX.recorder.EnableWinEXESigCheck

Enable checking executables for signatures on Windows.

Default value: 1

CX.recorder.EnableWinSYSSigCheck

Enable checking loaded drivers for signatures on Windows.

Default value: 1

CX.recorder.EtwMatchingToleranceMs

The milliseconds of tolerance allowed in ETW when matching events to a process.

Default value: 100

CX.recorder.EventAssemblerTimeoutMs

Number of MS assembler will wait to complete a process context before forwarding.

Default value: 10000

CX.recorder.FSEventsIgnoreOwnEvents

Ignore Recorder-generated file events on macOS

Default value: 1

CX.recorder.FSEventsQueueSize

FSEvents queue size on macOS.

Default value: 512

CX.recorder.FSEventsUseDefaultExclusions

Ignore default nuisance paths on macOS

Default value: 1

CX.recorder.FileInfoProviderDomain

Domain of FileInfoProvider used to hash executables

CX.recorder.FileInfoProviderName

Name of FileInfoProvider used to hash executables

CX.recorder.HashCacheSize

Size of hash cache in Processor hash provider

Default value: 50

CX.recorder.HealthLogWriteIntervalMins

Interval to write health issues to logfile for polled items.

Default value: 30

CX.recorder.JournaldRawLogging

Enable/Disable systemd journald auditd socket raw logging

Default value: 0

CX.recorder.JournaldRawLoggingWrite

Allow the recorder to use the value set in JournaldRawLogging to call systemctl

Default value: 0

CX.recorder.MailboxQueryTimeoutMs

The timeout for recorder mailbox query commands.

Default value: 60000

CX.recorder.MaxHashSizeMB

Max file size in MB to hash

Default value: 32

CX.recorder.MaxMailboxItemsPerCheck

How many inbox messages to consume per work item.

Default value: 32

CX.recorder.PathReassemblyTimeoutSecs

The number of seconds the event converter will wait to assemble a path before deleting.

Default value: 300

CX.recorder.PersistenceQueueDrainIntervalMs

How often to check the queue for processed events

Default value: 150

CX.recorder.PersistenceWriteProcessIntervalSecs

How often to periodicially write the proc.bin file to disk

Default value: 600

CX.recorder.ProcessorCacheWriteIntervalSecs

Interval to write process hash and signature hash to disk in seconds

Default value: 300

CX.recorder.ProcessorCleanupIntervalSecs

How often to perform cleanups in the processor

Default value: 15

CX.recorder.ProcessorPruneAdjustmentSecs

Additional tolerance required before the processing stage prunes caches

Default value: 10

CX.recorder.ProcessorQueueDrainIntervalMs

How often to check the queue for parsed events

Default value: 10

CX.recorder.ReconfigureIntervalSeconds

How often to check for configuration changes

Default value: 60

CX.recorder.ResourceMonitorCPUPercent

Sustained CPU percentage required to suspend subscriptions

Default value: 50

CX.recorder.ResourceMonitorRetryAttempts

Number of times resource monitor can cause a temporary suspension

Default value: 0

CX.recorder.ResourceMonitorRetryBackoffTimeSecs

Time in seconds subscriptions will be temporarily suspended before reenabling

Default value: 600

CX.recorder.ResourceMonitorTrackedWindowMins

Window of time that a temporary suspension counts towards a sticky suspension

Default value: 1440

CX.recorder.SnapshotExtraSizeRequiredMB

Required extra free space to be available to perform a snapshot.

Default value: 1024

CX.recorder.SnapshotWriteIntervalMs

The interval that snapshots will write pages to the destination database.

Default value: 100

CX.recorder.SnapshotWriteSizeMB

The size of each write, in megabytes, that the snapshot will write each SnapshotWriteIntervalMs interval.

Default value: 24

CX.recorder.Stage1WorkQueueInterval

How often to pull items from the stage one worker queues in milliseconds.

Default value: 10

CX.recorder.StatusUpdateInterval

How often to update status information.

Default value: 60

CX.recorder.SyslogPluginRawLogging

Enable/Disable raw logging via the syslog auditd plugin

Default value: 0

CX.recorder.SyslogPluginRawLoggingWrite

Allow the recorder to use the value set in SyslogPluginRawLogging to update plugins.d/syslog.conf

Default value: 0

CX.recorder.VacuumIntervalDays

The number of days between each database vacuum. 0 is disabled.

The recorder forces a vacuum if the database size becomes too large to ensure that a continual vacuuming does not exist. A check to only vacuum once per day and at least 1 hr after system startup to make sure vacuum operations do not interfere with system boot.

Default value: 7

CX.recorder.EnableSingleCpuRequirement

The Client Recorder Extension does not start on endpoints with a single CPU without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0.

Default value: 1