DLP Cloud Detector incident queue stays at 1000 in Enforce console
search cancel

DLP Cloud Detector incident queue stays at 1000 in Enforce console

book

Article ID: 206005

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Package

Issue/Introduction

It has been noted in the Enforce management console that the Incident Queue for your Cloud Detector is stuck at 1000 and doesn't seem to be changing.

  • You aren't seeing a high volume of incidents from this Detector, and don't believe there are DLP policies that would warrant the backlog that you are currently noticing.
  • You are wanting to know if there is any kind of backend issue with the Detector. 

Environment

Release : 15.x

Component : Cloud Detection Server

Cause

The DLP Cloud Service is a hosted service which integrates with the Enforce console - itself a managed on-prem installation.

In contrast to on-prem Detection Servers, the Incident Queue for a Cloud Detector currently reports a maximum of 1000 incidents queued.

The backlog as such is related to how many incidents have been created on the Detector, but is also dependent upon the Enforce server's internet-connection speed to the Cloud Service Gateway, and on the resource availability for the Enforce DLP services processing incidents.

Resolution

  • The Incident Queue will remain at 1000 as long as there are more than 1000 incidents remaining on the Detector.
  • That number can only go down once the rate of new incidents drops below the rate at which incidents can be shipped to Enforce. 
  • To verify the number of backlogged incidents which were recently generated, versus those which have recently "shipped" to Enforce, you can open a case with Technical Support.
  • To reduce this issue from recurring, policies creating high volumes of incidents may need to be tuned to eliminate False Positives, as well as Duplicate incidents (multiple incidents triggered by a single event such as one file upload or email message).
  • You can also increase the memory allocation to specific Enforce services, such as the SymantecDLPDetectionServerController and the SymantecDLPIncidentPersister. For details on that please see this article: Monitor Controller performance issues after adding new Detection Servers (broadcom.com)

Additional Information

Also, for customers on DLP 15.8 MP2 or earlier see the following KB: Incidents from the DLP Cloud Service are stuck in queue (broadcom.com).

Powered by Wolken Software