Email quarantine sync (Event Code 5400) occurred between scheduled sync time.
Article ID: 258295
Updated On:
Products
Data Loss Prevention Cloud Service for Email
Issue/Introduction
We have set the Email Quarantine sync period to every 5 minutes (default 15 minutes), however it appears that there are sync's occurring multiple times within the 5 minute timeframe. Is this expected behaviour?
Looking at the Enforce console Server Events with code 5400 we can see the following where the schedule from 21:57 is interrupted with another sync at 22:01 when the next sync time should be 22:02.
| 5 | 01/06/2023 22:07 | Enforce Server | 127.0.0.1 | 5400 | Email quarantine sync started |
| 5 | 01/06/2023 22:02 | Enforce Server | 127.0.0.1 | 5400 | Email quarantine sync started |
| 5 | 01/06/2023 22:01 | Enforce Server | 127.0.0.1 | 5400 | Email quarantine sync started |
| 5 | 01/06/2023 21:57 | Enforce Server | 127.0.0.1 | 5400 | Email quarantine sync started |
Environment
Release : 15.8 MP3
Cause
In tomcat localhost log at this time we have a quarantine release occurring between the syc time interval in between 21:57 between 22:02 at 22:01:
06 Jan 2023 22:01:47,188- Thread: 8251 FINE [com.symantec.dlp.emailquarantine.EmailQuarantineService] Fetching 1 - 1 of 1 messages from email quarantine
06 Jan 2023 22:01:47,188- Thread: 8251 FINE [com.symantec.dlp.emailquarantine.client.EmailQuarantineApiClientImpl] Invoking email quarantine API. Url: https://api.eu.quarantine.symantec.com/v1/mails?q={q}&filter_type={filter_type}&admin_domain={admin_domain}&include_deleted={include_deleted}&page_size={page_size}, Request parameters: {q=dlp_message_id:xxxxx-xxxxxx-xxxxxx-xxxxxxx, filter_type=DLP, admin_domain=ALL, include_deleted=no, page_size=1}
06 Jan 2023 22:01:48,341- Thread: 8251 FINE [com.symantec.dlp.emailquarantine.client.EmailQuarantineApiClientImpl] Successfully invoked email quarantine API. Response body: {"status":"SUCCESS","total":1,"start":0,"end":0,"error_code":null,"mail_list":[{"id":"xxxxx-xxxxxx-xxxxxx-xxxxxxx","metadata":{"email_date_received":1673039570228,"email_is_released":false,"dlp_message_id":"xxxxx-xxxxxx-xxxxxx-xxxxxxx"},"actions":{"release_message":true,"delete_message":true}}]}
06 Jan 2023 22:01:48,341- Thread: 8251 FINE [com.symantec.dlp.emailquarantine.EmailQuarantineService] Releasing 1 messages from email quarantine
06 Jan 2023 22:01:48,341- Thread: 8251 FINE [com.symantec.dlp.emailquarantine.client.EmailQuarantineApiClientImpl] Invoking email quarantine API. Url: https://api.eu.quarantine.symantec.com/v1/mails/release, Request body: {"options":{"encrypt":false},"mail_list":["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]}
06 Jan 2023 22:01:49,608- Thread: 8251 FINE [com.symantec.dlp.emailquarantine.client.EmailQuarantineApiClientImpl] Successfully invoked email quarantine API. Response body: {"status":"SUCCESS","error_code":null,"failed_messages":null}
06 Jan 2023 22:01:54,648- Thread: 8251 INFO [com.vontu.enforce.domainlayer.events.system.SystemEventLogger] Email quarantine sync started.
06 Jan 2023 22:01:54,681- Thread: 8251 INFO [com.symantec.dlp.emailquarantine.EmailQuarantineSyncService] Syncing email quarantine actions
...
06 Jan 2023 22:01:54,708- Thread: 198 FINE [com.vontu.manager.command.systemevent.SystemEventCommandTrigger] Fired trigger for System Event: systemEventID: 54852545, eventCode: 5400, severity: 5, eventDate: Fri Jan 06 22:01:54 GMT 2023, informationMonitorID: -1, summary: com.symantec.dlp.emailquarantine.sync.started.summ, description: com.symantec.dlp.emailquarantine.sync.started.desc, isInternationalized: 1,
06 Jan 2023 22:01:59,791- Thread: 8251 FINE [com.symantec.dlp.emailquarantine.client.EmailQuarantineApiClientImpl] Invoking email quarantine API. Url: https://api.eu.quarantine.symantec.com/v1/mails/audit?filter_type={filter_type}&admin_domain={admin_domain}&before={before}&after={after}&sort_order={sort_order}&page_size={page_size}, Request parameters: {filter_type=DLP, admin_domain=ALL, before=1673042514777, after=1673042278738, sort_order=asc, page_size=1000}
06 Jan 2023 22:02:00,404- Thread: 8251 FINE [com.symantec.dlp.emailquarantine.client.EmailQuarantineApiClientImpl] Successfully invoked email quarantine API. Response body: {"status":null,"total":1,"start":0,"end":0,"error_code":null,"audit":[{"owner":"[email protected]","user":"dlpo[email protected]","action":"RELEASE","timestamp":1673042509378,"dlp_message_id":"xxxxx-xxxxxx-xxxxxx-xxxxxxx"}]}
06 Jan 2023 22:02:00,404- Thread: 8251 FINE [com.symantec.dlp.emailquarantine.EmailQuarantineSyncService] Syncing 1 email quarantine actions, 0 remaining
06 Jan 2023 22:01:47,188- Thread: 8251 FINE [com.symantec.dlp.
06 Jan 2023 22:01:48,341- Thread: 8251 FINE [com.symantec.dlp.
06 Jan 2023 22:01:48,341- Thread: 8251 FINE [com.symantec.dlp.
06 Jan 2023 22:01:48,341- Thread: 8251 FINE [com.symantec.dlp.
06 Jan 2023 22:01:49,608- Thread: 8251 FINE [com.symantec.dlp.
06 Jan 2023 22:01:54,648- Thread: 8251 INFO [com.vontu.enforce.
06 Jan 2023 22:01:54,681- Thread: 8251 INFO [com.symantec.dlp.
...
06 Jan 2023 22:01:54,708- Thread: 198 FINE [com.vontu.manager.command.
06 Jan 2023 22:01:59,791- Thread: 8251 FINE [com.symantec.dlp.
06 Jan 2023 22:02:00,404- Thread: 8251 FINE [com.symantec.dlp.
06 Jan 2023 22:02:00,404- Thread: 8251 FINE [com.symantec.dlp.
Resolution
To summarise the events taking place:
- at 22:01:47 the quarantine API is invoked
- at 22:01:48 the message is released
- at 22:01:49 confirmation of the action takes place
- at 22:01:54 sync starts again.
- at 22:01:59 the quarantine API is invoked again for another message
- at 22:02:00 sync starts again.
After each action the timer is reset to 0 and starts again.
If the next scheduled sync is not interrupted the sync would occur at the next scheduled interval of 5 minutes.
Feedback
Yes
No
Powered by
