Error: "Error 1802: Corrupted incident received"

book

Article ID: 160656

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention for Mobile Data Loss Prevention Enforce Data Loss Prevention Network Discover Data Loss Prevention Network Prevent for Web Data Loss Prevention for Tablets Data Loss Prevention Endpoint Discover

Issue/Introduction

The Symantec Data Loss Prevention (DLP) Enforce server is showing  "Error 1802: Corrupted incident received" under Recent Events.

  1. Log onto your Enforce Console
  2. Go to System > Servers and Detectors > Overview
  3. Click on your Enforce Server
  4. Under All recent Events you will see the following error listed:

 

Error 1802: Corrupted incident received

Cause

Incidents are becoming corrupted due to insufficient space in the tablespace DLP uses to store incident data:

  • When the system is unable to extend the tablespace, the DLP Incident Persister renames the incident files that could not be stored in Oracle to a .bad extension 
  • The files are saved in the following location:
    • 15.5: C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\incidents (Windows)
    • 15.1: C:\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents (Windows)
    • 14.x: \SymantecDLP\Protect\incidents (Windows)
    • 14.x: /opt/Vontu/Protect/incidents (Linux) or /var/SymantecDLP/incidents

Resolution

  1. Extend the tablespace:
  2. Once you have resolved the tablespace issue, you can rename the .bad files to .idc files, and the system will then store them in Oracle normally. 
    1. Open a command prompt as Administrator
    2. cd to the incidents folder on Enforce:
      • \SymantecDLP\Protect\incidents (Windows)
      • /opt/Vontu/Protect/incidents (Linux) or /var/SymantecDLP/incidents
    3. As a precaution backup all files in the incident folder to another location.
    4. Rename the files from .bad to .idc.
      • Here is an example of the files, be sure to only rename the .bad to .idc.
        • Before: l1508521889832.idc_1506531432885.idc.1510146362333.bad

        • After: l1508521889832.idc_1506531432885.idc.1510146362333.idc

        • You can run the following command to rename all the files at once:

          •  rename *.bad *.idc

    5. Enforce should then begin to process the incident file.

Note: If you see incidents from some detection servers that are being stored normally, the cause is unrelated to a tablespace issue and the cause is likely due to a configuration issue on the affected detection servers.