"Error 1802: Corrupted incident received" under Recent Events
search cancel

"Error 1802: Corrupted incident received" under Recent Events


Article ID: 160656


Updated On:


Data Loss Prevention Enforce Data Loss Prevention Endpoint Discover Data Loss Prevention


The alert "Error 1802: Corrupted incident received" occurs under Recent Events in the Data Loss Prevention (DLP) Enforce server.


Incidents are becoming corrupted due to insufficient space in the tablespace DLP uses to store incident data:

  • When the system is unable to extend the tablespace, the DLP Incident Persister renames the incident files that could not be stored in Oracle to a .bad extension 
  • The files are saved in the following location:
    • drive:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\incidents (Windows)
    • /var/Symantec/DataLossPrevention/ServerPlatformCommon/<version>/incidents (Linux)


  1. Extend the tablespace. See Oracle tablespace (LOB_TABLESPACE, USERS, etc.) for DLP is full, almost full, or critically full.

    Note: Once you have resolved the tablespace issue, you can rename the .bad files to .idc files, and the system will then store them in Oracle normally. See What is a .bad file?

  2. Open a command prompt as Administrator.
  3. Change (cd command) to the incidents folder on Enforce:

    • Windows: C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\incidents
    • Linux: /var/Symantec/DataLossPrevention/ServerPlatformCommon/<version>/incidents

  4. As a precaution, back up all files in the incident folder to another location.
  5. Rename the files from .bad to .idc. Enforce should then begin to process the incident file.

    Here is an example of the files, be sure to only rename the .bad to .idc
    • Before: l1508521889832.idc_1506531432885.idc.1510146362333.bad
    • After: l1508521889832.idc_1506531432885.idc.1510146362333.idc

      You can run the following command to rename all the files at once:

      rename *.bad *.idc

Note: If you see incidents from some detection servers that are being stored normally, the cause is unrelated to a tablespace issue and the cause is likely due to a configuration issue on the affected detection servers.