Discrepancy in the number of incidents in System>Traffic page and Incidents List page on Enforce Server

book

Article ID: 160764

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

There is a mismatch in the number of incidents which is displayed in the System>Traffic page and the Incidents List page.

Observation: Open the System>Traffic page and set a filter (Yesterday/Last 7 days etc..)

Check for the number of incidents for a particular Detection Server.

Go to the Incident List page and filter by the same time period (Yesterday/Last 7 days). Filter by the Detection Server which you wish to monitor. See the number of incidents showing up and compare with the number viewed in the System>Traffic page.

For example: For Detection Server X, the number of incidents in the System>Traffic page for the Last 7 days is 20,000

For the same Detection Server X, the number of incidents in the Incidents List page is 15,000. (Discrepancy of 5000 incidents).

Applies to: DLP 11.x, 11.5.x,11.6.x, 12.0

Resolution

The number of incidents showing up in the System>Traffic page on the Enforce server is the number of incidents coming from the Detection Server. The incident count shown in the Incident List page is what is pulled by the Vontu Manager service from the Oracle database.

Steps to troubleshoot:

1. Check for any .idc files on the detection folder under \incidents folder. In case of the Endpoint Server, check for .idc files under aggregator_temp_incident_data.

2. You can run a procmon on the Detection Server and create a filter to check how many .idc files have been created.

3. Run a database query to find out how many incidents have been persisted in the database filtered by the Detection Server ID. (Refer to KB 54022 for the SQL queries to get the number of incidents for a specific time period filtered by the Detection Server ID).

4. The incident count returned should match with the number of incidents shown in the Incident List page.

Cause: The primary cause behind the discrepancy is Policy changes. If there is any deletion/modification/update in the policies, then this mismatch is sure to happen. Because the detection server sends the number of incidents to the Enforce server based on the detection it did. Meanwhile, the policy gets changed/modified/deleted. So, these incidents are not persisted in the database. Thus, a mismatch.