Installing Trace

Installing Trace is a two-part process.

  1. Import and configure the Trace Module into the Tanium Module Server.
  2. Push Trace packages to the endpoints. You can optionally configure access control to the Trace module.

Note: The procedures and screen captures that are in the documentation are for Version 7 and later. Version 6 procedures and screens might vary.

Set up Trace

To use Trace, you must first import the module, then determine which computer groups should have Trace installed on their endpoints.

Before you begin

Exempt the Trace executables from "on-access" scans as defined in the Tanium Knowledge Base: Security Exemptions article.

Import the Trace Module

Install Tanium Trace by importing it from the Tanium Console.

You must be assigned the Administrator reserved role to import a Tanium solution module or content pack.

  1. From the Main menu, click Tanium Solutions.
  2. Under Trace, click Import.
    A progress bar displays as the installation package is downloaded.
  3. Click Continue.
    The Import Solution window opens with a list of all the changes and import options.
  4. Initiate the import.
  5. Enter your password to confirm the installation.
  6. To confirm the installation, return to the Tanium Solutions page and check the Installed version for Trace.

    If you do not see the Trace module in the console, refresh your browser.

Add computer groups to Trace Setup action group

When you import the Trace module it automatically creates an action group. You must select the computer groups that are included in the Trace Setup group.

  1. From the Main menu, go to Actions > Scheduled Actions.
  2. In the Action Groups pane, select Trace Setup and click Edit.
  3. Make selections in the Computer Groups section.
  4. Select an operand from the Combine groups using drop-down menu.
  5. (Optional) Review the included machines in the All machines currently included in this action group section.

    This grid might take a few moments to populate when you change selections.

  6. Click Save.
  7. Enter your password to confirm the changes.

Configure cipher suites

You can optionally configure the default cipher suites for Trace and Trace Zone Proxy. By default, only ciphers that are specific to TLS 1.2 are enabled. If you need to further customize the cipher suite, you can modify the service command line.

To add or remove ciphers for Trace on Windows, modify the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tanium Trace\Parameters\AppParameters registry key to edit the --tls-cipher-list value in OpenSSL cipher list format, and then restart the service. For more information about the cipher list format, see OpenSSL: Cipher List Format.

Install Trace on endpoints

Trace deploys packages along with the Microsoft Sysmon tool to gather the endpoint information that is aggregated into Trace.

Before you begin

For Linux endpoints, you must:

  • Install the most recent stable version of the audit daemon and audispd-plugins before initializing endpoints. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the Linux event recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.


Configure Sysmon

(Optional) For Windows 7 and Windows Server 2008 R2 endpoints, Sysmon is required for recording process hash and command-line information. Sysmon is not required to capture this information for newer Windows versions. For more information, see Trace recorder features.

  1. Go to and download the file to your local computer.

    Review the Microsoft Software License Terms before you upload Sysmon in Trace.

  2. From the Trace home page, go to the Configure Trace section. Click the Configure Sysmon tab, and click Configure Sysmon.

    If the Configure Trace section is not visible in the Trace home page, click Manage Home Page, select Configure Trace, and click Save.

  3. Select how you want Trace to use Sysmon.

    If you use Trace to deploy Sysmon, you must download the file to your local computer.

    • Only add Sysmon to the endpoints that require it.
    • Add Sysmon to all endpoints, even if some endpoints cannot use it.
    • Do not use Trace to deploy Sysmon. Only the endpoints with Sysmon already installed can process hash and command-line information.
  4. Browse to the file and click Upload.
  5. Click OK.

If Sysmon was already installed on the endpoint, you can opt-in to using Sysmon with Trace. However, if you then later opt out of using Sysmon, the previously installed Sysmon version will be removed from the endpoint.

Configure endpoint database settings

Specific Trace information for each endpoint exists in a local database. You can restrict database volume by size and days of storage. Adjust the settings for each endpoint database to suit a specific environment.

Additionally, you can test the event recorder on a representative sample of each type of system you want to monitor. Systems with different roles can generate a higher volume of certain types of events. For example, domain controllers typically generate more security events and network traffic than an average end-user workstation. You can build custom configurations that maximize event retention across an environment, while excluding unwanted activity.

  1. From the Main menu, click Trace.
  2. Click Settings .
  3. On the Groups tab, click Add Group or view an existing configuration.
  4. Add a name and select a computer group.

    The computer group must be added to the Trace Setup Action Group before you can select it.

  5. Specify the database behavior.
    1. In the Maximum Size field, specify a limit for the database.
      If the maximum database size is reached, the endpoint purges events.
    2. In the Maximum Days field, select the number of days that events are retained.
      Older events are purged from the endpoint database.
    3. (Linux and Mac only) If needed, change the Maximum CPU Threshold percentage.

      If the endpoint CPU usage per processor exceeds this percentage over a one minute period, the event recorder is disabled and audit rules are removed. The default is 25%. For more information about restarting the event recorder, see Start or stop the Trace event recorder.

    4. (Linux only) Make a selection from the Enable Auditd Raw Logging drop-down menu.
      • True: Adds audit rules and writes the raw logs to disk.

        This setting increases the audit log volume on the endpoint.

      • False: Disables writing logs to disk. Use this setting for improved event throughput and lower CPU usage.

        Be sure that you do not have other, non-Tanium, processes that depend on reading raw audit logs.

    5. (Linux and Mac) Select Enable recorder CPU throttling on Mac and Linux to log messages and events. If selected, information is logged to /var/log/messages and recorder.log and processing is throttled to log events over a larger period of time to conserve resources and minimize potential disruption.
  6. Complete the database event details.
    1. Select the types of events to record.

      All registry, file, and DNS events are included, and all Tanium events are excluded by default. A selection of network and security events are included in the default configuration. For a list of Windows security events and their corresponding IDs, see Description of security events in Windows. On most Windows systems registry events generate the highest volume of event recorder activity.

    2. Add any filters for registry, file, network, or process events.
      Configuration Option Description
      Registry Filters [Windows only] Excludes Windows registry events when specific key-value pairs match.

      For example, Key: \HKEY_LOCAL_MACHINE\Software\ and Value: \StaleList\.

      File Filters Excludes file events that match the beginning of the specified file path.

      For example, C:\Program Files (x86)\Tanium\Tanium Client\ or /proc.

      Network Filters

      Excludes network events that match the defined IP address or port, and operation values.

      For example, Address:, Port 80, Operation: Connection Accepted.


      Ports that you specify in Network Filters match the destination port. The destination port is the port to which a connection is made on the targeted host.

      Process Filters

      Excludes events based on the process path, name, or (Mac and Linux only) command-line argument.

      You can use regular expressions to search for more complex patterns and to further constrain the scope of the process filter. For example, C:\Program Files (x86)\Google\Chrome\Application\* filters all processes in the Applications folder. And ^(if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.

  7. Click Save.
  8. Click Deploy.
    When changes are saved but have not been deployed, a Changes pending message is displayed.

The order of the configuration impacts how they are applied to the endpoint, see Change the endpoint database configuration priority for more information.

Initialize endpoints

When endpoints are initialized, Trace deploys the following packages to each endpoint in the Trace Setup action group:

  • Trace tools
  • Trace certificate
  • Event recorder configuration settings

The initialization actions are scheduled to run continuously to ensure that Trace is properly installed on all selected endpoints. If the progress bars have not reached 100%, this does not necessarily mean that Trace is not properly installed on all endpoints.

  1. From the Main menu, click Trace.
  2. For Linux or Mac endpoints, click Settings .
  3. On the General tab under the Update Service Settings heading, select Enable Linux Endpoints and/or Enable Mac Endpoints, and click Save.
  4. From the Trace home page, click the Initialize Endpoints link in the Configure Trace section, and then click Initialize Endpoints.

    If the Configure Trace section is not visible in the Trace home page, click Manage Home Page, select Configure Trace, and click Save.

  5. Click Yes in the confirmation window.
  6. Click any of the progress bars to retrieve the latest status from each configuration step.

    You can also use the Tanium Trace Status sensor to retrieve up to date information on endpoint initialization.

You can now connect to live endpoints, create snapshots, and do forensic analysis.

After direct live endpoint connections have been established, you can set up the Trace zone proxy service if you are using a Zone Server in your environment. See Reference: Setting up the Trace zone proxy service.

Upgrade the Trace version

Upgrade Trace by importing it in the Tanium Console.

To preserve existing endpoint databases, take snapshots of important endpoints before upgrading.

  1. From the Main menu, select Tanium Solutions.
  2. Locate Trace and click Upgrade to <version>.
    A progress bar is displayed as the installation package is downloaded.
  3. Click Continue.
    The Import Solution page opens with a list of all changes and import options.
  4. Initiate the upgrade.
  5. Enter your password to confirm the upgrade.
  6. Return to the Tanium Solutions page and check the Installed version for Trace from the Main menu.

    If the Trace version has not updated in the console, refresh your browser.

  7. Recreate any custom user roles.

What to do next

See Getting started with Trace for more information about using Trace.

Last updated: 12/3/2019 2:56 PM | Feedback