Event Code 5902 on Enforce server. DLP Alerts synchronization failed. ConnectException : Connection refused: connect
search cancel

Event Code 5902 on Enforce server. DLP Alerts synchronization failed. ConnectException : Connection refused: connect

book

Article ID: 253829

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Discover

Issue/Introduction

In our Enforce Server, we are constantly getting this event.  Not able to find detail info for 5902 in the Help Center

Code 5902
Summary DLP Alerts synchronization failed
Detail DLP Alerts synchronization failed. ConnectException : Connection refused: connect

Localhost log reports the following errors:

SEVERE [com.vontu.enforcewebservices.resources.RestResource] Last attempt to synchronize latest DLP News and Alerts was unsuccessful. Please review System Events and logs for more details.
SEVERE [com.symantec.dlp.enforcedomainservices.events.system.SystemEventLogger] DLP Alerts synchronization failed. DLP Alerts synchronization failed. ConnectException : Connection refused: connect
SEVERE [org.quartz.core.JobRunShell] Job DlpAlertUpdateJobGroup.DlpAlertUpdateJob threw an unhandled Exception
Cause: com.vontu.manager.admin.dlpalert.DlpAlertSynchronizationException: Error occurred while synchronizing DLP Alerts com.vontu.manager.admin.dlpalert.DlpAlertSynchronizationException: Error occurred while synchronizing DLP Alerts
Caused by: java.net.ConnectException: Connection refused: connect

 

Environment

Release : 16.0 / 16.0 RU2

Cause

Possible causes

  • Web Proxy blocking web requests to DLP News and Alerts feed
  • Outbound 443 blocked by firewall

Resolution

In DLP version 16.0/RU1, allow Enforce access to https://onprem-content.enforce.dlp.protect.broadcom.com/xml/DLPNewsAndAlerts.xml through the web proxy or firewall

 

In DLP version 16.0RU2+, the default value is changed to "true" due to the "DLP News" feature. This change also allows you to set the "com.vontu.manager.dlp.rss.feed.link" setting to "false". 

    Please see: https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-0-2/getting-started/news-and-alerts.html

If Symantec Data Loss Prevention does not connect to the Internet, a DLP Alert Synchronization failure event is logged each day. You can prevent these events by turning off the alert synchronization.


1. Locate the file manager.properties at the path specific to your platform:


    Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.2\Protect\config\


    Linux:/opt/Symantec/DataLossPrevention/EnforceServer/16.0.2/Protect/config/


2.Locate the row com.vontu.manager.dlp.should.rss.feed.sync and update to false. 

Additional Information

This does not affect any functionality of DLP.  The News and Alerts feature is an RSS Feed that provides events and alerts about DLP that it collects from an internet location.

Enforce goes to the following URL to download alerts:

https://onprem-content.enforce.dlp.protect.broadcom.com/xml/DLPNewsAndAlerts.xml

If you can navigate to the above URL from enforce, you should be able to see alerts.

You can also verify this URL from Manager.Properties file from the config directory where DLP is installed.

com.vontu.manager.dlp.rss.feed.link = https://onprem-content.enforce.dlp.protect.broadcom.com/xml/DLPNewsAndAlerts.xml

 

 

 

Powered by Wolken Software