There are bad incident files on Enforce server and ORA-02291 is seen in log

book

Article ID: 160752

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

I see lots of .bad incident files in the /Vontu/Protect/incident folder. The IncidentPersister log, shows following error:

 

QLException during execution of sql-statement:
INFO   | jvm 1    | 2011/05/26 09:32:29 | * sql statement was 'INSERT INTO Incident (incidentID,messageID,policyID,policyVersion,incidentStatusID,violationCount,detectionDate,domainID,customAttributesRecordID,isDeleted,blockedStatus,incidentSeverityID,messageType,discoverItemID,discoverMillisSinceFirstSeen,creationDate) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) '
INFO   | jvm 1    | 2011/05/26 09:32:29 | * Exception message is [ORA-02291: integrity constraint (PROTECT.INCIDENT_FK1) violated - parent key not found

Resolution

This usually happens after deleting a policy from Enforce, but the Detection Server still tries to upload an incident created with the deleted policy. This is possible for Endpoint incidents, as not every Endpoint Agent may have received the notification that the policy has been disabled. The Incident Persister does not find the parent key (policyid) from Oracle and therefore cannot insert the incident to the database.

 

You can run the following query in sqlplus to confirm the policy no longer exists with the policyid. (sqlplus /nolog)  (connect [email protected]

 

"Select policyid, version,  name, description, isdeleted, to_char(createdate, 'DD-MON-YYYY HH24:MI:SS') From policy Where policyid= "

 

Once you confirm the policy has been deleted, you may just remove the bad incidents file as they cannot be written to Oracle DB.