Enforce Shows System Event Code 1818 - "Incident is oversized"
search cancel

Enforce Shows System Event Code 1818 - "Incident is oversized"

book

Article ID: 161913

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce

Issue/Introduction

Enforce GUI displays System Event Code 1818: Incident is oversized, has been persisted with a limited number of components and/or violations.

========================

Example - System Overview

========================

Warning         4/15/15 2:28 AM         Enforce Server         127.0.0.1         1818         Incident is oversized, has been persisted with a limited number of components and/or violations

 

==========================

Example - Server Event Details

==========================

General

Type:         Warning                 Time:         Apr 15, 2015 2:28:37 AM

Server:         Enforce Server                 Host:         127.0.0.1

 

Message

Code:         1818

Summary:         Incident is oversized, has been persisted with a limited number of components and/or violations

Detail:         Incident is oversized, has been partially persisted with messageID 40701, Incident File Name l1429063214350.idc_1429063000017.idc

 

============================

Example - IncidentPersister_0.log

============================

Apr 15, 2015 2:28:26 AM (SEVERE) Thread: 1630 [com.vontu.incidenthandler.message.persist.convert.v12.MessageComponentProcessor.createComponentsAndIncidents] Violations beyond 500 have been discarded for incident ID: 1166 per max.violation.per.message property value

Apr 15, 2015 2:28:37 AM (SEVERE) Thread: 1630 [com.vontu.incidenthandler.message.persist.IncidentPersistingThread.cleanupIncidentFile] Over 

Cause

A very large incident file with a high volume of message components and/or violations (matches) was presented to Enforce.  Large incident files will be persisted with only a limited numbers of violations and components into the Oracle Database; the rest of the violations and components will be discarded (not persisted in Database).

 

This is intended functionality and is working as designed.

Resolution

The following options can be changed in IncidentPersister.properties to adjust the incident thresholds, respectively. 

 

# max.component.per.message is the maximum number of message components in an incident.

# The default value for max.component.per.message = 1000

max.component.per.message = 1000

 

(Disclaimer: Changing the incident thresholds beyond the default values will require additional processing and resources which will affect performance accordingly.)

Powered by Wolken Software