Enforce Incident Queue is processing slowly
search cancel

Enforce Incident Queue is processing slowly

book

Article ID: 160190

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

The incident queue count on the Enforce server is high

Administration -> System -> Overview

Resolution

Please follow the below steps on the Enforce Server,

1. Restart the "incident persister" Service

2. In Vontu Incident Persister logs

NFO   | jvm 60   | 2013/06/12 02:46:33 | java.lang.OutOfMemoryError: Java heap space
INFO   | jvm 60   | 2013/06/12 02:49:39 | Exception in thread "RMI TCP Connection(idle)"
INFO   | jvm 60   | 2013/06/12 02:49:40 | java.lang.OutOfMemoryError: Java heap space
INFO   | jvm 60   | 2013/06/12 03:01:00 | Exception in thread "RMI TCP Connection(idle)" java.lang.OutOfMemoryError: Java heap space 

Modify the following lines in the file VontuIncidentPersister.conf located in the directory \Vontu\Protect\config on Windows:

# Initial Java Heap Size (in MB) default 256
wrapper.java.initmemory=512

# Maximum Java Heap Size (in MB) default 512
wrapper.java.maxmemory=1024

Note :- Also make sure that we have the recommended amount of physical memory on the Enforce and the Detection Servers

 

3. Check if Incidents are queued in the Incident folder located- Vontu\Protect\Incident

Check if there are any .bad files, copy them to another location, and check if the incident files are getting processed and the number of queued incidents are reducing from the System/Overview

4. Check if there are big incident file sizes (15-20 MB), normal incident file size is 5 kb. (Incident file which is big in size takes longer time to process and keeps other incident files in the queue)

Check if there is any response rule that retains the attachments and the messages, and change the response rule to discard the attachments and save. Inform the customer about the best practices not to retain the attachments.

How to check which response rule is retaining the attachments

Open any network/endpoint incident which has an attachment - check the policy and response rule in the policy

 

Also, consider recent policy changes that may have spawned a large number of incidents.

Additional Information

Do not increase the memory beyond 31GB.
At 32GB you lose memory compression and it becomes counter-productive.

Powered by Wolken Software