Agents send duplicate incidents

book

Article ID: 207649

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Suite

Issue/Introduction

You observe that agents send duplicate incidents.

In the IncidentPersister_(n) logs you see the following warning while persisting an incident that is a duplicate of one that has already been recevied.

(SEVERE) Thread: 96 [com.vontu.model.ojb.OJBLogger.error] Error while commit objects, do abort tx [email protected]
* SQLException during execution of sql-statement:
* sql statement was 'INSERT INTO Message (messageID,messageOriginatorID,messageSource,monitorID,monitorChannelType,messageDate ...
* Exception message is [ORA-00001: unique constraint (PROTECT.MESSAGE_U) violated]
 
The above warning is a safeguard that is working as designed to prevent a duplicate incident from the same endpoint discover scan from being persisted to the database.

Cause

This issue may occur under the following conditions:

  • The Agent Advanced setting CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS.int is lower than the EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int
  • The policy being used to detect the file is configured to retain the endpoint original message.
  • The file being detected is large enough to exceed the CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS.int when being streamed by the agent to its Endpoint Server.

Environment

DLP 15.x

Resolution

To prevent this issue from occurring:

  1. Navigate to System -> Agents -> Agent Configuration -> Advanced Settings
  2. Ensure that the EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int (default of 270) setting is lower than the CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS.int (default 300) setting.
 

Additional Information

See also: Key DLP agent and Endpoint Server communications settings