Troubleshooting

Do not manually delete any Tanium content that includes Comply in the name for any reason. Deleting Tanium content can cause Comply to stop working correctly.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

1. From the Comply Home page, click Help , then the Troubleshooting tab. Select the solutions for which to gather troubleshooting packages. All available solutions are selected by default.
2. Click Create Package.
   
3. When the packages are ready, click Download Support Bundle.
   A productname-support.[timestamp].zip file downloads to the local download directory for each selected package.

   Some browsers might block multiple downloads by default. Make sure to configure your browser to permit multiple downloads from the Tanium Console.

4. Contact Tanium Support to determine the best option to send the ZIP file(s). For more information, see Contact Tanium Support.

Collect troubleshooting information from endpoints

You can use Client Management to directly connect to an endpoint and collect a bundle of logs and other artifacts, sometimes referred to as an Endpoint Must Gather (EMG).

1. From the Main menu, click Shared Services > Client Management.

2. From the Client Management menu, click Client Health.

3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

   Matching results are displayed after the search completes.

4. From the search results, click the computer name to connect to the endpoint.

5. Click the Gather tab. In the Domain section, select the category or Tanium Solution for which you want to gather troubleshooting information.

   For Comply information, select the Comply domain and then select Comply Database, Comply Extension Data, and Comply Intel.

6. Click Gather from Endpoint.

   The selected logs and artifacts are gathered from the endpoint. The package appears in the Must Gathers section, and the name of the package corresponds with its time stamp.

7. When Finished appears in the Run State column, select the package and click Download to download a ZIP file that contains the troubleshooting information.

For more information about connecting directly to endpoints, see Tanium Direct Connect User Guide.

For more information about using client health features in Client Management, see Tanium Client Management User Guide: Monitor the client health overview in Client Management and Tanium Client Management User Guide: Access detailed client health and troubleshooting information on an endpoint.

Locate log files

You might need to locate log files on your endpoint or on the Tanium Module Server for troubleshooting purposes when working with technical support.

Endpoint log files

Comply log files are created on endpoints at the following path: <Tanium Client>\extensions\comply\data\results\<scan name>\*-stdout.txt

Tanium Module Server log files

Comply log files are created on the Tanium Module Server at the following path: <Module Server>\services\comply-service-files\logs

Service log files are found here.

Java tool options when executing java

Starting with Comply 2.14, JAVA_TOOL_OPTIONS has the following config setting.

CX.comply.UseSystemJavaToolsOption Use the system environment variable JAVA_TOOL_OPTIONS when executing java. The default is 1. Set to 0 and ComplyCX will ignore any system set JAVA_TOOL_OPTIONS environment variable.

Scans do not run as expected

Comply cannot run scans or clean up old results on endpoints with actions locks turned on. See Tanium Console User Guide: Managing action locks.

Update the Tanium Vulnerability Library for CVSS v3 support

Starting with Comply 2.13, Tanium Vulnerability Library files on content.tanium.com now support CVSS v3. If you are upgrading from a previous version, and If you have disabled recurring updates or are running in airgap mode, you must manually upgrade to the latest TVL for Comply features to function properly. See Upload the Tanium Vulnerability Library files for instructions.

After upgrading to Comply 2.13, uUntil the TVL is updated based on the configured update schedule, a message may appear in the Tanium Console instructing you to upgrade to the latest TVL.

Restart Connect service after upgrade

It is recommended that you restart the Connect service after upgrading to Comply 2.13.

RBAC synchronization with SUS adoption after upgrade

In Comply 2.12, the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. Consequently, after upgrading to Comply 2.12, it might take time for the database migration to complete and for RBAC privileges and other updates to sync properly. This could lead to issues and error messages when first querying the Tanium Console. These issues should resolve on their own after a few minutes, but could take longer depending on system resources and the amount of data to migrate.

Remote authenticated scan timeout failure

If RAS scans are timing out, starting in Comply 2.17, you can increase the timeout value in one of the following ways:

The default timeout value is 90000 milliseconds

• Option 1: Increase the timeout setting on the satellite by deploying the Modify Tanium Client Setting package and setting CX.comply.JovalMinCommandTimeoutMsto <value in milliseconds>

• Option 2: Log into the satellite performing the RAS scan and enter the following from a command line: ./TaniumClient config set CX.comply.JovalMinCommandTimeoutMs <value in milliseconds>

Remote authenticated scans fail on ESXi devices

With Joval 6.4.2 and later, RAS scans of ESXi devices fail when using a self-signed certificate that is not from a trusted certificate authority. In previous versions of Joval, the TLS certificate provided by the endpoint was not authenticated. This behavior changed in Joval 6.4.2 and now trusted certificates must be used.

If RAS scans are failing on ESXI devices for this reason, you have the option to disable TLS validation. You can accomplish this by deploying a package to modify Tanium client settings on the satellite or by logging into the satellite directly and using a command line flag to restore the previous Joval behavior.

• Option 1: Disable Joval TLS validation on the satellite by deploying the Modify Tanium Client Setting package and setting CX.comply.RasDisableTlsValidation to 1

• Option 2: Log into the satellite performing the RAS scan and enter the following from a command line: ./TaniumClient config set CX.comply.RasDisableTlsValidation 1

Results directory on endpoint after upgrade

When upgrading to Comply 2.11, the Tools/Comply/results directory on the endpoint is migrated to extensions/comply/data/results.

By default the legacy results will remain for 7 days unless they are migrated by the service and there is an ECF configuration

Note that the Tools/Comply/results and Tools/Comply/benchmarks folders are automatically deleted after 30 days.

Incomplete findings for endpoints after upgrade

After upgrading Tanium Comply, while tools are deploying and data is migrating, it may take time for Findings to be complete.

Incorrect or missing findings for reports with custom profiles after upgrade

After upgrading Tanium Comply, compliance reports from previous versions are automatically migrated to assessments. If you had compliance reports that used custom profiles or tailoring files, you must re-deploy those assessments after upgrading. Otherwise, the corresponding findings may be missing or displayed correctly.

You may need to disable Hide error results from questions in User Preferences to validate that you have missing or incorrect findings.

Ensure Comply tools on the endpoints have been upgraded to the latest version before re-deploying assessments.

Missing vulnerability reports after upgrade

After upgrading from Comply 2.9 to a later version of Comply, compliance reports are migrated to the new version but vulnerability reports are not. This is intended due to the inability to ensure that query filters would provide the same results in newer versions of Comply that were seen in Comply 2.9 and earlier reports. Instead, there are some high-level, OS-based vulnerability reports provided with Comply 2.10 and later.

Deployments do not run as expected

Check for the following error messages if a deployment does not run as expected:

Some machines included in this deployment cannot be deployed to.

Ensure that targeted endpoints have enough disk space to accommodate deployments.

Some machines included in this deployment don't have the system utilities required to complete a scan.

Linux or macOS endpoints do not have the UNIX utilities installed that are required for Comply to work correctly.

License expiration impact

Comply will not operate with an expired license. Update the license to restore functionality.

There is a 30 day grace period before Comply stops operating.

Identify and resolve issues with client extensions

Use the following steps to troubleshoot issues with the client extensions that Comply installs and uses. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.

To review the client extensions that Comply installs and uses, see Client extensions.

1. To review the health of client extensions or to start an investigation into an existing error, ask a question using the Client Extensions - Status or Comply - Tools Version sensor.

   The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Filter the results and drill down as necessary to investigate results that indicate errors.

   Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.

2. Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Remove Comply tools from endpoints and Endpoint Configuration User Guide: Uninstall a tool installed by Endpoint Configuration.

   When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

   Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.

3. Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:

   Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Comply from all machines with Endpoint Configuration - Tools Status:Tool Name contains Comply

   Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:

   Error Condition	Possible Resolution
   No error appears, but an available new version has not been installed	Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the Endpoint Configuration manifest has not updated on the endpoint, usually for one of the following reasons: The manifest update is still pending. Either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest. Action lock is enabled on the endpoint. Follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest to identify endpoints with action lock turned on. Comply is no longer installed, or it is no longer targeting the endpoint. In some cases, Comply might stop targeting an endpoint because it no longer needs the endpoint for a particular workload. Consider whether Comply should still target the endpoint: If it is expected or intentional that Comply no longer targets the endpoint, you can optionally uninstall Comply tools and dependencies: see Remove Comply tools from endpoints. If Comply should still target the endpoint, make sure that the Comply action group includes the endpoint, and make sure Comply targets the endpoint in any expected configurations or profiles. Then, either wait for the manifest to update and then review the results again, or follow the steps in Endpoint Configuration User Guide: Verify and manually update the Endpoint Configuration manifest.
   Installation Blocker:Unmet Dependencies: [Tool name]	If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column.
   Failing Dependency:[Tool name]	Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name] Investigate further errors with the tool. If the dependency has not been installed on an endpoint, ask the question: Get Endpoint Configuration - Tools Retry Status from all machines with Computer Name equals Computer_Name to review the retry status for the tool installation. For more information, see Endpoint Configuration User Guide: Review tool installations that are scheduled for a retry.
   Manually Blocked:blocked	The tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint.

4. Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.

For additional help, collect all logs for Tanium Comply, and contact Tanium Support.

Review the Extensions log for an endpoint

Use Client Management to directly connect to an endpoint and view and download extension logs.

1. From the Main menu, go to Shared Services > Client Management.

2. From the Client Management menu, click Client Health.

3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

   Matching results are displayed after the search completes.

4. From the search results, click the computer name to connect to the endpoint.

5. Click the Logs tab, and select an extensions[#].log file.

6. (Optional) To download the log, click Download.

For additional help, collect all logs for Tanium Comply, and contact Tanium Support.

Remove Comply tools from Windows and Linux endpoints

You can deploy an action to remove Comply tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
   Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
2. In the results, select the row for Comply, drill down as necessary, and select the targets from which you want to remove Comply tools. For more information, see Tanium Interact User Guide: Drill Down.
   
3. Click Deploy Action.
4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.

5. For Tool Name, select Comply.

6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

   If reinstallation is blocked, you must unblock it manually:

   • To allow Comply to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

   • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

7. (Optional) To remove all Comply databases and logs from the endpoints, clear the selection for Soft uninstall.

   When you perform a hard uninstallation of some tools, such as Recorder or Index, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data, such as recorded events (in the case of Recorder) or file indexes (in the case of Index). If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool. To help determine what data a tool stores on endpoints, go to https://docs.tanium.com/ and review the documentation for the tool or for the Tanium solution that installed it, and contact Tanium Support for additional help.

8. (Optional) To also remove any tools that were dependencies of the Comply tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

   If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

10. Click Show preview to continue.

11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Comply

If you need to uninstall Comply, clean up the Comply artifacts on endpoints and then uninstall Comply from the server.

Remove Comply content from endpoints

1. From the Main menu, click Interact.
2. Ask a question to target the endpoints from which you want to remove Comply content and tools. For example, Get Comply - Tools Version from all machines returns all endpoints with the Comply tools installed.
3. Select the endpoints from which you want to remove Comply content and tools.
4. Click Deploy Action.
5. On the Deploy Action page, select either the Comply - Remove Client Files - Windows, Comply - Remove Client Files - Solaris, or Comply - Remove Client Files - Unix action, as appropriate. For more information, see Tanium Platform User Guide: Managing Scheduled Actions.
6. Check Remove ALL Comply files if you want to remove all Comply content or select only the content and tools you want to remove.
7. In the Action Details section, the package name is automatically added to the Name field.
8. Set a Deployment Schedule, One Time or Recurring.
9. Under Targeting Criteria, select endpoints to target for the uninstall.

•  The default Action Group is All Computers. You can select a different group here and further filter the list based on your selection.

• You can also enter a manual list.
10. Click Save and Show preview to continue.
11. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

Remove the Comply solution from the Tanium Module Server

1. From the Main menu, go to Administration > Configuration > Solutions.
2. In the Comply section, click Uninstall.
3. Review the content that will be removed and click Uninstall.
4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
5. Return to the Solutions page and verify that the Import button is available for Comply.

When you uninstall Comply, the database and service files are not removed. This allows future installations to retain the previous state. On uninstall, the <Module Server>\services\comply-service-files are moved to <Module Server>\services\comply-service-files_<timestamp>.

To uninstall the database, you must run the following command on the Tanium Module Server:

• Windows

  : C:\Program Files\Tanium\TaniumModuleServer\services\rdb-service\TaniumRdbService.exe clear comply

• Linux/TanOS:

  /opt/Tanium/TaniumModuleServer/services/rdb-service/TaniumRdbService clear comply

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.