Video Screencast Help

FileReader constantly Restarting

Created: 23 Oct 2012 | 10 comments

We are running into an issue where on one of our Network Monitor servers the file reader continually restarts throughout the day.  It is causing a backlog of the logs for the server to turn into incidents.  I think time between logs is now at 84 hours.  Other issues related to this is our disk space is almost to its max and the CPU usage is constantly at 99-100%.

 

We are running:

Host 10.160.25.84
Version 11.0.0.19031

 

Comments 10 CommentsJump to latest comment

stumunro's picture

Zach,

 

usually 2 reasons for this, lack of resources i.e. cpu or memory. What hardware specs do you have on tht server and or to many complex statements or policies.. this means that you have a bunch of and or statements in the policies... Did you make any recent changes?

Zach.Holle's picture

We have a dual-quad-core processor @ 2.33ghz with 8 gigs of RAM.  We have 5 others Network Monitors (6 total) that have the same specs.

 

We do have some complicated rules as we are a larger corporation and have to weed out the false-positives.

stumunro's picture

is this on the all of one monitor, the 8 gigs of memory are on the lower end of the specs.

i would suggest adding more memory, it this is a larger netowrk it may not be the number or complex of the policies then it may be the amount of traffic... if you are on version 11.0 you need to upgrade... i have attached the 11.5 and 11.6 sizing guides...also can you attach a screen shot of the error for more info

AttachmentSize
Symantec_DLP_11.6_Network_Sizing_Guide.pdf 418.22 KB
Symantec_DLP_11.5_Network_Sizing_Guide.pdf 417.39 KB
Zach.Holle's picture

Thank you for the information.  This Monitor does have the most traffic going through it, so it would make sense that it would have issues while none of the others do.

 

Attached is the e-mail I receive with the error message.  Please let me know if you require any other information.

DLPError.PNG
Keith Reynolds - ExchangeTek's picture

Regardless of how much memory you have on that server, you're limited with regards to how much memory the File Reader process will use by the settings specific to that server.  So you might be looking at adjusting the setting for that under "Advanced Settings".  There's a parameter for the file reader max memory. 

I'd recommend to you that you don't do this without first opening a case and consulting support, though if you're game, you might try bumping that up a little bit at a time and see if it improves your processing times.

Are you using a Windows server for this, or a Linux server?  You can get better rates out of Linux without any advanced configuration.  If that's an option for you, I'd recommend it...larger installs I usually recommend Linux as the OS on Network Monitors for just this reason.

~Keith

Zach.Holle's picture

We are running it on Linux.  I'll definitely take a look at the Advanced Settings.  It looks like we are going to try and get some more RAM added into the box and see if that clears up any issues.  We are also looking to maybe add another server for this traffic and load balance it if possible.

DLP Solutions's picture

Also keep in mind that the issue can also be from poorly written Policies. I have seen it to where a policy or moer than one has way too many RULES and as a result will cause the server to need more memory in order to handle all of the policies as well as the rules.

The other issue might be that you have TOO MUCH data coming to the monitor NIC card, so you might have to filter the information down.

 

What is the throughput of traffic being pumped to the Monitor. You should make sure to ONLY have inbound traffic.

Please make sure to mark this as a solution

to your problem, when possible.

 

Roju's picture

I am facing the same problem as you described. As per the Tech Support, issue is that the tmp files (kpxxx.tmp) are being created by the old verity/java code. The cracking exception is no longer happening into CEA. DLP 11.6 will provide a fix for this issue (although I had not tested it smiley). The tmp files expands itself in GB's. The FileReader restart is happening as a result of the low disk space.

In Windows, we can see the temp files in “C:\Documents and Settings\protect\Local Settings\Temp” (may be you should check the home folder of your protect user).

This is based on my experience. A tech support personnel can explain it better.

 

Regards,

...rOjU...

Zach.Holle's picture

Just an update, I logged a ticket with support and we seemed to have resolved the issue. In the configuration we added another rule to Ignore with the following settings: Application File Access, Removeable Storage. Path = *\truecrypt\*