Data Loss Prevention

 View Only
  • 1.  Enforce Server Incident Queue 12.5

    Posted Nov 24, 2014 07:29 AM
      |   view attached

    Hi,

    We were running 11.5 for sometime and have recently upgraded to 12.5. When I'm veiwing the Server Overview page, I do not remember seeing any number in the Enforce Incident Queue and now I see a high-ish number. <see attachment>.

    I can't find any 'evidence' of incidents backing up on the server (manually checking folders for temp files being processed) but perhaps I'm looking in the wrong place.

    I'm trying to be a bit pro-active here as I don't have any major issue on this particular point(?) but we are having problems with Discover Scans, scans not starting cleanly - as in they report to be starting but never start until we intervene with reboots or such like, and the filereader process restarting a lot and large .MDMP files (1-3GB in size....hs_err_pid2732.mdmp and hs_err_pid2732.log) being created in the Vontu\Bin directory.

    Anyone have any pointers on where to look or encountered this before?



  • 2.  RE: Enforce Server Incident Queue 12.5

    Posted Nov 24, 2014 02:18 PM
    From the DLP Help button, I searched for "Incident Queue" and came up with this: ____________________________________ Incident Queue For the Enforce Server, this is the number of incidents that are in the database, but do not yet have an assigned status. This number is updated whenever this screen is generated. For the other types of servers, this is the number of incidents that have not yet been written to the Enforce Server. This number is updated approximately every 30 seconds. If the server is shut down, this number is the last number updated by the server. Presumably the incidents are still in the incidents folder. ____________________________________ I would not expect this to continue to rise. I would expect it to fluctuate during the normal workday. I could be that your Enforce server is processing incidents slower with the new version of DLP, but you would have to look at some performance numbers (Memory in use, Disk I/O, etc.) in the OS to see if that is the issue.


  • 3.  RE: Enforce Server Incident Queue 12.5

    Posted Dec 02, 2014 02:34 PM

    This is normal behavior in my experience.  If the number never shrinks then you have a problem, but typically the number will flucuate some throughout the day (it is just the number of incidents reported from detection servers, but not yet fully proccessed by enforce).



  • 4.  RE: Enforce Server Incident Queue 12.5

    Posted Dec 09, 2014 03:11 PM

    i agree with Jsneed.  You can also create an alert based on a threshold of incidents in the enforce queue. I think that threshold is predefined by Symantec as I can't find a way to customize it. I think it is 1500 incidents.