search cancel

There are bad incident files on Enforce server and ORA-02291 is seen in log

book

Article ID: 160752

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

I see lots of *.bad incident files in the /incident folder.

The IncidentPersister log, shows the following error:

<date><time> (SEVERE) Thread: 101 [com.vontu.model.ojb.OJBLogger.error] Could not prepare for commit
org.apache.ojb.broker.KeyConstraintViolatedException: 
* SQLException during execution of sql-statement:
* sql statement was 'INSERT INTO Incident (incidentID,messageID,policyID,policyVersion,incidentStatusID,violationCount,detectionDate,policyGroupID,customAttributesRecordID,isDeleted
<etc>)
VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) '
* Exception message is [ORA-02291: integrity constraint (PROTECT.INCIDENT_FK1) violated - parent key not found
]
* Vendor error code [2291]
* SQL state code [23000=INTEGRITY CONSTRAINT VIOLATION]
* Target class is 'com.vontu.model.data.ojb.IncidentImpl'
* PK of the target object is [incidentIDRef=1001001]
* Source object: incidentID: 1001001, messageID: 0001001, policyID: 123, policy: policyID: 123, version: null, name: null, description: null, label: null <etc>

 

Cause

This usually happens after deleting a policy from Enforce, but the Detection Server still tries to upload an incident created with the deleted policy.

This is possible for Endpoint incidents, as not every Endpoint Agent may have received the notification that the policy has been disabled.

The Incident Persister does not find the parent key (the policyID) from Oracle and therefore cannot insert the incident to the database.

Resolution

The policy ID for these incidents is recorded in the log excerpt above:

policyID: 123

You can run the following query in sqlplus to confirm the policy no longer exists with the policyid - substituting the ID found in your logs:

sqlplus /nolog

connect <protect-account>
[enter password]

Select policyid, version,  name, description, isdeleted, to_char(createdate, 'DD-MON-YYYY HH24:MI:SS') From policy Where policyid=123;

 

The output should be similar to this:

SQL> Select policyid, version, name, description, isdeleted, to_char(createdate, 'DD-MON-YYYY HH24:MI:SS') From policy Where policyid=123;

  POLICYID    VERSION
---------- ----------
NAME
------------------------------------------------------------
DESCRIPTION
--------------------------------------------------------------------------------
 ISDELETED TO_CHAR(CREATEDATE,'DD-MON-YY
---------- -----------------------------
         1          6
Detect_Secret
Looking for Confidential Keywords
         1 20-MAR-2020 18:37:09

 

Once you confirm the policy has been deleted, you may just remove the bad incidents file as they cannot be written to Oracle DB.