Detection Server Incident queue backlogged after upgrade
search cancel

Detection Server Incident queue backlogged after upgrade


Article ID: 249205


Updated On:


Data Loss Prevention Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite


Upgraded the detection server from 15.5 to 15.8 and the incident queue began to increase

No incidents were processing on the detection server

Errors in the incidentwriter log on the detection server:

WARNING: Incident queue backlogged. There are **** incidents in this server's queue.

SEVERE: Incident writer stopped. Failed to delete incident file C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\..\..\ServerPlatformCommon\15.8.00000\incidents


Release : 15.8

Component : Upgrade, Detection Server


The service user was incorrect.

The upgrade did not respect the selection of the SymantecDLP user and used the original Protect user.

Protect was the service user. SymantecDLP was the owner of the \Incidents folder.


Changed the SymantecDLPDetectionServer service user to match the owner of the \Incidents folder.

Restarted SymantecDLPDetectionServer service on the Detection server and SymantecDLPDetectionServerController service on the Enforce server.