ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

"Error 1802: Corrupted incident received" under Recent Events

book

Article ID: 160656

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Endpoint Discover Data Loss Prevention

Issue/Introduction

The alert "Error 1802: Corrupted incident received" occurs under Recent Events in the Data Loss Prevention (DLP) Enforce server.

Cause

Incidents are becoming corrupted due to insufficient space in the tablespace DLP uses to store incident data:

  • When the system is unable to extend the tablespace, the DLP Incident Persister renames the incident files that could not be stored in Oracle to a .bad extension 
  • The files are saved in the following location:
    • drive:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\version\incidents (Windows)
    • /var/Symantec/DataLossPrevention/ServerPlatformCommon/version/incidents (Linux)

Resolution

  1. Extend the tablespace. See Oracle tablespace (LOB_TABLESPACE, USERS, etc.) for DLP is full, almost full, or critically full.

    Note: Once you have resolved the tablespace issue, you can rename the .bad files to .idc files, and the system will then store them in Oracle normally. See What is a .bad file?

  2. Open a command prompt as Administrator.
  3. Change (cd command) to the incidents folder on Enforce:

    • Windows: C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.8.00000\incidents
    • Linux: /var/Symantec/DataLossPrevention/ServerPlatformCommon/15.8.00000/incidents

  4. As a precaution, back up all files in the incident folder to another location.
  5. Rename the files from .bad to .idc. Enforce should then begin to process the incident file.

    Here is an example of the files, be sure to only rename the .bad to .idc
    • Before: l1508521889832.idc_1506531432885.idc.1510146362333.bad
    • After: l1508521889832.idc_1506531432885.idc.1510146362333.idc

      You can run the following command to rename all the files at once:

      rename *.bad *.idc

Note: If you see incidents from some detection servers that are being stored normally, the cause is unrelated to a tablespace issue and the cause is likely due to a configuration issue on the affected detection servers. See WebPrevent block message causing Incidents to not show up in UI.