Data Loss Prevention

 View Only
Back to discussions
Expand all | Collapse all

incident not getting generated

Migration User

Migration UserMay 15, 2012 02:15 AM

I am using version 11.1 and keyword rule is used
Migration User

Migration UserMay 16, 2012 02:14 AM

Can any body help me on this issue.

  • 1.  incident not getting generated

    Posted May 15, 2012 01:46 AM

    Hi

    This is issue is regarding Network Monitor, We created one policy and for testing purpose i sent volilated data from my outlook to gmail,But no incident is generated in enforce, please help me how to troubleshoot this issue.

    Thanks

    Naveen

     

     



  • 2.  RE: incident not getting generated

    Broadcom Employee
    Posted May 15, 2012 01:57 AM

    whats the version used?

    whats is the rule you have set?

     



  • 3.  RE: incident not getting generated

    Posted May 15, 2012 02:15 AM

    I am using version 11.1 and keyword rule is used

     



  • 4.  RE: incident not getting generated

    Posted May 15, 2012 02:18 AM

    One thing which i observed is when i go Sytems-->Server over view screen, in enforce there i was able to see incident count under column incident today, but i was not able to see any incident in incident report



  • 5.  RE: incident not getting generated

    Broadcom Employee
    Posted May 15, 2012 02:39 AM

    is it 11.1.1 or 2?

    is the network monitor service running? do you see incident in the log/



  • 6.  RE: incident not getting generated

    Posted May 15, 2012 02:56 AM

    its 11.1.1 and network monitor service is running, but i am able to see Long message wait time in Recent events



  • 7.  RE: incident not getting generated

    Broadcom Employee
    Posted May 15, 2012 03:01 AM

    can you post the logs? does restarung the network services help?



  • 8.  RE: incident not getting generated

    Posted May 15, 2012 03:02 AM

    in detection_operational_0 log file, i was not able to see any incidents



  • 9.  RE: incident not getting generated

    Posted May 15, 2012 03:10 AM

    Hi Naveen,

    Currently How many incidents are showing in your console,

    Check License Validity

    Please check below folder is there showing any *.bad incidents.

    G:\Vontu\Protect\incidents

     

     

     



  • 10.  RE: incident not getting generated

    Posted May 15, 2012 03:35 AM

    11/May/12:14:17:40:953-0700 [INFO] (DETECTION.9) Detection initializing with the following Policies [11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [KEYWORD]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [REGEX]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DOCUMENTNAME]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DOCUMENTSIZE]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DOCUMENTTYPE]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [PROTOCOLTYPE]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [SENDER]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [RECIPIENT]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [CHANNEL]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DCMONLY]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [UNIVERSAL_METADATA]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [FILE_TYPE_SCRIPT]
    11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [MAPI_ATTRIBUTE]
    11/May/12:14:17:41:187-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DOCUMENTPROFILE]
    11/May/12:14:17:41:453-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DATABASEPROFILE]
    11/May/12:14:17:41:453-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DIRECTORY_GROUP]
    11/May/12:14:17:41:453-0700 [INFO] (DETECTION.10) Enabled engine for condition type [ENDPOINT_DEVICE]
    11/May/12:14:17:41:671-0700 [INFO] (DATA_IDENTIFIER.103) [68] Data Identifiers have been deployed
    11/May/12:14:17:41:671-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DATAIDENTIFIER]
    11/May/12:14:17:41:703-0700 [INFO] (DETECTION.10) Enabled engine for condition type [MACHINE_LEARNING]
    11/May/12:14:17:45:984-0700 [INFO] (DETECTION.401) The Policy Incident limiter has been reset and all previously disabled Policies have been enabled. The limits will reset again in 24 hour(s) 0 ms
    11/May/12:14:17:47:453-0700 [INFO] (DETECTION.300) Profile [4,545:SSN_Feed version 1,028] loaded successfully
    11/May/12:14:17:47:609-0700 [INFO] (DETECTION.7) Started 8 Message Chain(s)
    11/May/12:14:17:47:609-0700 [INFO] (DETECTION.2) Detection is now running
    11/May/12:15:31:29:203-0700 [INFO] (DETECTION.4) Detection is shutting down
    11/May/12:15:32:17:203-0700 [INFO] (DETECTION.500) Script engine CustomFileScriptEngine initialized
    11/May/12:15:32:17:203-0700 [INFO] (DETECTION.500) Script engine CustomValidatorScriptEngine initialized
    11/May/12:15:32:17:218-0700 [INFO] (DETECTION.1) Detection is starting
    11/May/12:15:32:19:437-0700 [INFO] (DETECTION.8) Detection initializing with the following Channel(s) [Packet Capture,Copy Rule]
    11/May/12:15:32:19:750-0700 [INFO] (DETECTION.5) Waiting for Detection Server configuration
    11/May/12:15:32:19:906-0700 [INFO] (DETECTION.102) Updated the enabled Protocol(s) [protocol.name.SMTP,protocol.name.HTTP,protocol.name.FTP,FileSystem,LotusNotes,EndpointFileSystem,ExchangeScanner,SharePointScanner,FileSystemScanner,WebServerScanner,DocumentumScanner,LiveLinkScanner,WebServices,GenericScanner,SQLDatabase,ExchangeCrawler,SharePointCrawler,Classification Exchange]
    11/May/12:15:32:20:796-0700 [INFO] (DETECTION.6) Received Detection Server configuration and Advanced Settings
    11/May/12:15:32:22:593-0700 [INFO] (DETECTION.602) Content Extraction started. Host process path: [E:\Vontu\Protect\lib\native\ceh.exe], Plugin install dir: [E:\Vontu\Protect\plugins\contentextraction], Default plugin: [Verity], Default charset:[UTF-8], API log config file:[E:\Vontu\Protect\config\log4cxx_config_filereader.xml], Host log config file:[E:\Vontu\Protect\config\log4cxx_config_filereader.xml], Runaway timeout: [300], Suppress crash notification: [true]



  • 11.  RE: incident not getting generated

    Posted May 15, 2012 04:04 AM

    Its showing 25 incidents and message wait time 12:36:47, there are no files in incident folder of Enforce



  • 12.  RE: incident not getting generated

    Posted May 16, 2012 02:14 AM

    Can any body help me on this issue.



  • 13.  RE: incident not getting generated

    Trusted Advisor
    Posted May 16, 2012 07:48 AM

    hi naveen

    please check that when you try to view incident there is no filter set in your report (no date, no status, no other attribute).

    Does account/profile used is able to view this type of incident (network) ? does role configuration give you the right to access these incidents (incident access set of parameter) ?

     

     At least, in my opinion if you see on server page that some incident was generated, your policy is not responsible for this problem. If incident are transmitted from monitor to enforce, network connection betwwen both seems ok too. If you perform normal installation of the system, encryption key should be ok between enforce and database. So it looks like a config problem which cause your issue.

     Does it work before ?



  • 14.  RE: incident not getting generated

    Posted May 16, 2012 08:24 AM

    hi Stephane,

    Thanks for you reply, you said config problem, please let me know how to troubleshoot this issue

     



  • 15.  RE: incident not getting generated

    Trusted Advisor
    Posted May 16, 2012 08:32 AM

    do you use your own account (or default administrator account) ? with which profile ?



  • 16.  RE: incident not getting generated

    Posted Jun 19, 2012 10:26 AM

    You indicate there is a huge message wait time. This is not normal and usually indicates a problem with server communication. Is the Incident Queue under Enforce also increasing?

    Aaron