Upgraded the detection server from 15.5 to 15.8 and the incident queue began to increase
No incidents were processing on the detection server
Errors in the incidentwriter log on the detection server:
WARNING: Incident queue backlogged. There are **** incidents in this server's queue.
SEVERE: Incident writer stopped. Failed to delete incident file C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\..\..\ServerPlatformCommon\15.8.00000\incidents
Release : 15.8
Component : Upgrade, Detection Server
The service user was incorrect.
The upgrade did not respect the selection of the SymantecDLP user and used the original Protect user.
Protect was the service user. SymantecDLP was the owner of the \Incidents folder.
Changed the SymantecDLPDetectionServer service user to match the owner of the \Incidents folder.
Restarted SymantecDLPDetectionServer service on the Detection server and SymantecDLPDetectionServerController service on the Enforce server.