There are a lot of .bad files in the \incidents folder. What are they? What should be done?
Incidents from the various detection servers arrive on the Enforce server as a file in the \incidents folder. The name is a string of numbers and the file type is .idc. The IncidentPersister takes incident files from the incidents folder and puts them into the database. When an incident is successfully processed into the database the file is deleted.
If there is a problem processing the incident file and it can not be completed, the file type is changed to .bad.
This allows the IncidentPersister to skip that file and process the remaining incident files.
There are several problems that can prevent the IncidentPersister from successfully putting an incident into the database:
- The IP has a problem communicating to the DB during the operation
- The DB can not add the incident information to the tables
- The LOB_TABLESPACE tablespace is full and needs additional datafiles added to it
- The incident file is unusable or unreadable/corrupted
- An example of an unusable incident cause is if a policy change occurred (a new policy version) and it fails the sanity checks for persistence. If the change occurs between the time of the incident creation and persistence, the incident is no longer valid and becomes unusable.
The problems are usually logged in the IncidentPersister log. A System Event 1800 is also generated. Contact Technical Support if you need assistance correcting any issues.
Once the problem is corrected, the incident can be resubmitted by changing the .bad to .idc. See Changing all .bad incidents to .idc on a Windows operating system or Changing all .bad incidents to .idc on a RedHat Linux operating system.