Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

FileReader restarts excessively DLP-ENDPOINT Server

Created: 27 Apr 2013 | 6 comments
Mavericks SYS's picture

 

Hi,

We are about 300 DLP agents deployed at the moment and we see problems with FileReader restarts excessively “ process at EndPoint server

I want a solution for this problem.

Thanks & Regards,

Operating Systems:

Comments 6 CommentsJump to latest comment

yang_zhang's picture

Could you please check the error message on the log file of the filereader under the tomcat/log/debug folder?

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
Mavericks SYS's picture

Hi yang_zhang,

I'll check the log file onthe filereader, and I'll see if there's an error message, and I will answer you.

This check I did at Endpoint or Network Server Monitor

Thank you for your help.

 

kishorilal1986's picture

Hi Mavirecks,

FileReader restarts usually occur due to timeout issues.  These timeouts are generally caused by the following:

  1. Connectivity issues with the Monitor Controller or Network
  2. Poorly written RegEx Rules
  3. A bad email message.  Bad messages can be caused by incorrect header information or foreign characters in the message that Symantec DLP is unable to process

If the FileReader restarts itself occasionally, this is normal behavior.  However, if you are experiencing consistent FileReader restarts in your environment, there are a few things you can do to determine the cause:

  1. FileReader may fail to start (and restart) if it can’t receive all the configuration information it needs. To troubleshoot the exact cause, look in the FileReader log first to identify which FileReader subsystem isn’t starting. Once it’s identified that a particular subsystem isn’t receiving its configuration, one should look in the MonitorController log to see if the corresponding subsystem has been initialized successfully. One of the common failures is inability to ignite cryptographic keys in the MonitorController because the ignition password on the disk got out of sync with the Administrator password in the database. In this case the password issue must be fixed and only after that should the MonitorController be restarted.
  2. Check your policies.  Oftentimes FileReader restarts will occur because of a particular policy.  For example, if a Regex in a particular policy exceeds given thresholds (such as maximum component time), then the FileReader will restart.  Look at the log files for the “intentionally restarting process” message which identifies the message chain component causing the restart.  If this component is “Detection” the most likely cause is a poorly written regular expression. (See KB 42749: How to create more efficient Regular Expressions)
  3. Check for "bad" messages. Save the *.vpcap file that contains the message in question. You can use the file for testing without having to actually send the message again. 
  4. Check for locked *.vpcap files.
    1. Stop Packet Capture so that you do not get noise in the test. Start FileReader process. If the *.vpcap file gets picked up, the inductor is working. If the inductor is not working, find out why. The most common problem is that some process has a lock on the files. Other than that, collect the FileReader log and contact support. 
  5. If the inductor is working, the problem may be in the Layer 7 Parser or the Content Extractor. Visually inspect the FileReader log for any exceptions, warnings or severe log messages.
  6. While the Content Extractor can often have problems processing various file formats it can rarely, if ever, be blamed for a FileReader restart.
  7. Dying threads can cause FileReader to stop reporting heartbeats and eventually be restarted. Look in VontuMonitor.log for exceptions. Each exception in that log file is an indicator of a serious problem (a product defect) and is a likely cause of a FileReader restart

If none of the above resolves your FileReader restart issues, please contact Technical Support for further troubleshooting.

Leo_Cortes's picture

Hi,

 

How much memory do you have assigned to that endpoint server?

 

Endpoint is particularly picky with memory and would not run properly with less than 4GB (and that is pushing it).  Server should be at least 8GB or more.

 

Also if the server is a Linux one, be sure to load the necessary RPM's particualry the apr_utils one.  You canfind the rest of the packages in the KB.

 

Hope this helps!