Endpoint Server tmp files filling up Protect temp directory
search cancel

Endpoint Server tmp files filling up Protect temp directory

book

Article ID: 159466

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Discover Data Loss Prevention Data Loss Prevention Core Package Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite

Issue/Introduction

During an Endpoint Discover scan, the Endpoint server becomes low on drive space. Investigation shows TMP files in the following directory:

<InstallDirectory>:\ProgramData\Symantec\DataLossPrevention\DetectionServer\<DLPVersion>\temp\aggregator_temp_incident_data

This has to do with the "Incident Receiver" - which unpacks and saved temporary incident data that has been sent to the Endpoint Server from Endpoint Agents. There appears to be one sub-directory for each potential incident, in the following format:

<InstallDirectory>:\ProgramData\Symantec\DataLossPrevention\DetectionServer\<DLPVersion>\temp\aggregator_temp_incident_data\<folder_number>\<number.tmp>

You may also see Code 1014 message for the server in Enforce.

Cause

1- Hard drive is being filled up with incidents faster than can be processed.

2- Corrupt temporary incident file\folder.

3- Unidentified cause, issue still occurs after attempting 1 and 2.

Resolution

Cause 1 Workaround:
If this directory is filling up hard drive on the Endpoint Server, it is likely because the Agents are sending in data faster than FileReader can process them. If the Aggregator process is stopped on the Endpoint Server (via the EndpointServer process), the Agents will not be able to send their data up. Once the process is restarted, however, Agents will resume sending data, and the drive will fill up again.

One workaround is to temporarily change the Agent Listener port in the Endpoint Server configuration. Agents will not send data without establishing a connection, but the Aggregator process on the Endpoint Server will continue to handle above incident data normally. Once the directory is reduced (normally empty), the port can be set back to default (8000), and the sending of data from the Agents will resume.

Cause 2 Workaround:

  1. Stop the DLP Detection Server Service on the Detection server.
  2. Move the corrupt temp incident folder out of the aggregator_temp_incident_data folder or just erase these folders inside aggregator_temp_incident_data.
  3. Start the DLP Detection Server Service on the Detection server.

Cause 3 Workaround:

1. Reinstall the Endpoint Server

Additional Information

 

 

Powered by Wolken Software