Incidents are stuck in the queue on the DLP Enforce server
search cancel

Incidents are stuck in the queue on the DLP Enforce server

book

Article ID: 172590

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

The Enforce console shows that incidents appear to be stuck in queue and never drops below the reported number (which may vary).

Resolution

The incident directory shows idc are processing normally.
There are no .bad files in the incident directory.

From sqplpus, run "select count(*) from incident where incidentstatusid is null;".  
The output should match the backlog count (or close to it), and this also confirms there are incidents stuck in stage 2+. 
In this instance, the query returned no incidents.
So the stuck incidents are a false indication.

Rebooting the Enforce Server cleared the stuck incidents.

Sometimes just restarting the Incident Persister service will clear the false stuck incidents.

NOTE:
Do the following to use sqlplus to run the query above:

On the Enforce Server, navigate to the [SymantecDLP Install directory]\protect\scripts directory
Open an Administrator Command Prompt in that directory or root privileged shell window in Linux.  
Connect to  sqlplus: 
sqlplus /nolog
conn protect/password@protect 
(If you have changed your service name, use your service name and password in place of "password@protect")
Then  run the select query above.