Incidents are queued and you cannot see response rules firing as expected
search cancel

Incidents are queued and you cannot see response rules firing as expected

book

Article ID: 248562

calendar_today

Updated On:

Products

Data Loss Prevention Core Package Data Loss Prevention Enforce

Issue/Introduction

You cannot see recent incidents in the Enforce Server web console, and it appears that response rules like SysLog are not occurring.

If you test with emails, they are blocked, but you do not see that incident in the console.

Environment

Release : 15.8

Component :

Cause

Varies, but incident queueing can occur for issues related to "post-processing" (response rules like Email Notifications, Send to Syslog, etc) in the Oracle Database.

Resolution

If your Enforce Server is queuing incidents, check first to see if you are out of tablespace. If so, see the following KBs:

Incidents are not available in the Enforce console (broadcom.com)

What is a .bad file? (broadcom.com)

 

If those issues do not apply, and your Incident queue continues to build, try stopping services in order on your Enforce Server:

Restart DLP Enforce services in the correct order (broadcom.com)

After DLP services have been stopped, restart the services on your Oracle Database.

After Oracle services are restarted, restart your Enforce Server services in order and confirm whether the incident queue starts dropping.

Additional Information

If these steps to not resolve your issue, please open a case with Technical Support.