Incidents queueing up on 16.1 DLP detection servers
search cancel

Incidents queueing up on 16.1 DLP detection servers

book

Article ID: 396545

calendar_today

Updated On:

Products

Data Loss Prevention Core Package Data Loss Prevention Data Loss Prevention Plus Suite Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor Data Loss Prevention Network Discover Data Loss Prevention Enterprise Suite Data Loss Prevention Enforce Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention Discover Suite

Issue/Introduction

Incidents have begun to queue up on a DLP detection server(s) according to the "Incident Queue" column on the System -> Servers and Detectors -> Overview page in the DLP Enforce Console.

The SymantecDLPEnforceConnector logs on the detection server with the incident backup contains the following log entries with name_of_incident_file being replaced with the name of the actual corrupt incident file in the folder.

 

May 3, 2025 6:42:29 PM com.symantec.dlp.storage.spi.impl.persistence.local.LocalDataFile getMetaDataFromKeys
INFO: Unable to get metadata of local file E:\DataLossPrevention\DetectionServer\Account-storage\EnforceSlot-uuid\INCIDENTS\name_of_incident_file= Attempt #1: java.io.EOFException

AND

May 3, 2025 6:42:30 PM com.symantec.dlp.storageandnotification.StorageInstrumentationImpl logSevere
SEVERE: Exception while getting dataReader for file name_of_incident_file= in folder Account-storage/EnforceSlot-uuid/INCIDENTS.
com.symantec.dlp.storageandnotification.exceptions.RecoverableStorageSecurityException: Cannot decrypt file, no file encryption key found.
    at com.symantec.dlp.storage.spi.impl.security.EncryptedDataFile.getFileEncryptingKeyContainer(EncryptedDataFile.java:290)
    at com.symantec.dlp.storage.spi.impl.security.EncryptedDataFile.buildFileEncryptingKeyContainerForDecrypt(EncryptedDataFile.java:206)
    at com.symantec.dlp.storage.spi.impl.security.EncryptedDataFile.getInputReader(EncryptedDataFile.java:135)

Environment

DLP 16.1

Cause

This issue is caused by an incident file becoming corrupt in the ...DataLossPrevention\DetectionServer\Account-storage\EnforceSlot-uuid\INCIDENTS folder on the detection server.

Resolution

Delete the corrupt incident files mentioned in the SymantecDLPEnforceConnector log from the following folder on the Detection Server. Delete both the file ending in "=" and the file ending in "=.mtd" with the name specified in the log file.

This is the default path, refer to the SymantecDLPEnforceConnector log for the actual path on your detection server:

 

C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\Account-storage\EnforceSlot-uuid\INCIDENTS

 

 

Powered by Wolken Software