ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Enforce Shows System Event Code 1818 - "Incident is oversized"

book

Article ID: 161913

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce

Issue/Introduction

Enforce GUI displays System Event Code 1818: Incident is oversized, has been persisted with a limited number of components and/or violations.

========================

Example - System Overview

========================

Warning         4/15/15 2:28 AM         Enforce Server         127.0.0.1         1818         Incident is oversized, has been persisted with a limited number of components and/or violations

 

==========================

Example - Server Event Details

==========================

General

Type:         Warning                 Time:         Apr 15, 2015 2:28:37 AM

Server:         Enforce Server                 Host:         127.0.0.1

 

Message

Code:         1818

Summary:         Incident is oversized, has been persisted with a limited number of components and/or violations

Detail:         Incident is oversized, has been partially persisted with messageID 40701, Incident File Name l1429063214350.idc_1429063000017.idc

 

============================

Example - IncidentPersister_0.log

============================

Apr 15, 2015 2:28:26 AM (SEVERE) Thread: 1630 [com.vontu.incidenthandler.message.persist.convert.v12.MessageComponentProcessor.createComponentsAndIncidents] Violations beyond 500 have been discarded for incident ID: 1166 per max.violation.per.message property value

Apr 15, 2015 2:28:37 AM (SEVERE) Thread: 1630 [com.vontu.incidenthandler.message.persist.IncidentPersistingThread.cleanupIncidentFile] Over 

Cause

A very large incident file with a high volume of message components and/or violations (matches) was presented to Enforce.  Large incident files will be persisted with only a limited numbers of violations and components into the Oracle Database; the rest of the violations and components will be discarded (not persisted in Database).

 

This is intended functionality and is working as designed.

 

The IncidentPersister in v11.x did not allow for the processing of these large incident files, resulting in the incident to be discarded entirely.  In some cases, encountering large incident files in v11.x would also cause Java Virtual Machine (JVM) out-of-memory errors due to the max heap size of 1.5GB (32bit address limitation).

 

Introduced in DLP v11.6, there was a need to implement a more scalable IncidentPersister mechanism to gracefully handle very large incidents.  This change improved system performance and allowed incidents to be persisted to the Oracle database while retaining only partial information.

Resolution

The following options can be changed in IncidentPersister.properties to adjust the incident thresholds, respectively. 

 

# max.component.per.message is the maximum number of message components in an incident.

# The default value for max.component.per.message = 1000

max.component.per.message = 1000

 

(Disclaimer: Changing the incident thresholds beyond the default values will require additional processing and resources which will affect performance accordingly.)