DLP Endpoint agent custom identifier does not create incidents.

book

Article ID: 160125

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Symantec Data Loss (DLP) Endpoint Agents do not generate incidents for policies you have configured with a custom data identifier.

EDPA log 

01/01/2013 12:00:00 |  1234 | INFO    | MessageLogger   | MESSAGETYPE_DETECTION_RESULT    MESSAGESOURCE_DETECTION  01/01/2013 12:00:00  [req#123 FAILURE <\b> is not a valid letter for index  no incidents]

Cause

The custom data identifier contains an invalid regular expression element.

Resolution

The DLP custom data identifier language uses a subset of the regular expression command set. Not all valid regex elements are supported. Note that the exact text in the log varies, however, the portion of the log entry following "req#nnn FAILURE" indicates the issue. In this log example, the character that is enclosed in angle brackets, <b>, is the expression element that is invalid.

To resolve the problem, check all custom data identifiers that are used in your policies. Ensure that you remove anything causing the error or is unsupported.

For additional information refer to the following articles: