Error: "Error 1802: Corrupted incident received"

book

Article ID: 160656

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Endpoint Discover Data Loss Prevention

Issue/Introduction

The Symantec Data Loss Prevention (DLP) Enforce server is showing  "Error 1802: Corrupted incident received" under Recent Events.

  1. Log onto your Enforce Console
  2. Go to System > Servers and Detectors > Overview
  3. Click on your Enforce Server
  4. Under All recent Events you will see the following error listed:

 

Error 1802: Corrupted incident received

Cause

Incidents are becoming corrupted due to insufficient space in the tablespace DLP uses to store incident data:

  • When the system is unable to extend the tablespace, the DLP Incident Persister renames the incident files that could not be stored in Oracle to a .bad extension 
  • The files are saved in the following location:
    • 15.5: C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\incidents (Windows)
    • 15.1: C:\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents (Windows)
    • 14.x: \SymantecDLP\Protect\incidents (Windows)
    • 14.x: /opt/Vontu/Protect/incidents (Linux) or /var/SymantecDLP/incidents

Resolution

  1. Extend the tablespace:
  2. Once you have resolved the tablespace issue, you can rename the .bad files to .idc files, and the system will then store them in Oracle normally. 
    1. Open a command prompt as Administrator
    2. cd to the incidents folder on Enforce:
      • \SymantecDLP\Protect\incidents (Windows)
      • /opt/Vontu/Protect/incidents (Linux) or /var/SymantecDLP/incidents
    3. As a precaution backup all files in the incident folder to another location.
    4. Rename the files from .bad to .idc.
      • Here is an example of the files, be sure to only rename the .bad to .idc.
        • Before: l1508521889832.idc_1506531432885.idc.1510146362333.bad

        • After: l1508521889832.idc_1506531432885.idc.1510146362333.idc

        • You can run the following command to rename all the files at once:

          •  rename *.bad *.idc

    5. Enforce should then begin to process the incident file.

Note: If you see incidents from some detection servers that are being stored normally, the cause is unrelated to a tablespace issue and the cause is likely due to a configuration issue on the affected detection servers.