Error: "Error 1802: Corrupted incident received"


Article ID: 160656


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention for Mobile Data Loss Prevention Enforce Data Loss Prevention Network Discover Data Loss Prevention Network Prevent for Web Data Loss Prevention for Tablets Data Loss Prevention Endpoint Discover


The Symantec Data Loss Prevention (DLP) Enforce server is showing  "Error 1802: Corrupted incident received" under Recent Events.

  1. Log onto your Enforce Console
  2. Go to System > Servers and Detectors > Overview
  3. Click on your Enforce Server
  4. Under All recent Events you will see the following error listed:


Error 1802: Corrupted incident received


Incidents are becoming corrupted due to insufficient space in the tablespace DLP uses to store incident data:

  • When the system is unable to extend the tablespace, the DLP Incident Persister renames the incident files that could not be stored in Oracle to a .bad extension 
  • The files are saved in the following location:
    • 15.5: C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\incidents (Windows)
    • 15.1: C:\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents (Windows)
    • 14.x: \SymantecDLP\Protect\incidents (Windows)
    • 14.x: /opt/Vontu/Protect/incidents (Linux) or /var/SymantecDLP/incidents


  1. Extend the tablespace:
  2. Once you have resolved the tablespace issue, you can rename the .bad files to .idc files, and the system will then store them in Oracle normally. 
    1. Open a command prompt as Administrator
    2. cd to the incidents folder on Enforce:
      • \SymantecDLP\Protect\incidents (Windows)
      • /opt/Vontu/Protect/incidents (Linux) or /var/SymantecDLP/incidents
    3. As a precaution backup all files in the incident folder to another location.
    4. Rename the files from .bad to .idc.
      • Here is an example of the files, be sure to only rename the .bad to .idc.
        • Before: l1508521889832.idc_1506531432885.idc.1510146362333.bad

        • After: l1508521889832.idc_1506531432885.idc.1510146362333.idc

        • You can run the following command to rename all the files at once:

          •  rename *.bad *.idc

    5. Enforce should then begin to process the incident file.

Note: If you see incidents from some detection servers that are being stored normally, the cause is unrelated to a tablespace issue and the cause is likely due to a configuration issue on the affected detection servers.