ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

There are bad incident files on Enforce server and ORA-02291 is seen in log


Article ID: 160752


Updated On:


Data Loss Prevention Enforce Data Loss Prevention


I see lots of *.bad incident files in the /incident folder.

The IncidentPersister log, shows the following error:

<date><time> (SEVERE) Thread: 101 [com.vontu.model.ojb.OJBLogger.error] Could not prepare for commit 
* SQLException during execution of sql-statement:
* sql statement was 'INSERT INTO Incident (incidentID,messageID,policyID,policyVersion,incidentStatusID,violationCount,detectionDate,policyGroupID,customAttributesRecordID,isDeleted
VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) '
* Exception message is [ORA-02291: integrity constraint (PROTECT.INCIDENT_FK1) violated - parent key not found
* Vendor error code [2291]
* Target class is ''
* PK of the target object is [incidentIDRef=1001001]
* Source object: incidentID: 1001001, messageID: 0001001, policyID: 123, policy: policyID: 123, version: null, name: null, description: null, label: null <etc>



This usually happens after deleting a policy from Enforce, but the Detection Server still tries to upload an incident created with the deleted policy.

This is possible for Endpoint incidents, as not every Endpoint Agent may have received the notification that the policy has been disabled.

The Incident Persister does not find the parent key (the policyID) from Oracle and therefore cannot insert the incident to the database.


The policy ID for these incidents is recorded in the log excerpt above:

policyID: 123

You can run the following query in sqlplus to confirm the policy no longer exists with the policyid - substituting the ID found in your logs:

sqlplus /nolog

connect <protect-account>
[enter password]

Select policyid, version,  name, description, isdeleted, to_char(createdate, 'DD-MON-YYYY HH24:MI:SS') From policy Where policyid=123;


The output should be similar to this:

SQL> Select policyid, version, name, description, isdeleted, to_char(createdate, 'DD-MON-YYYY HH24:MI:SS') From policy Where policyid=123;

---------- ----------
---------- -----------------------------
         1          6
Looking for Confidential Keywords
         1 20-MAR-2020 18:37:09


Once you confirm the policy has been deleted, you may just remove the bad incidents file as they cannot be written to Oracle DB.