whats the version used?

whats is the rule you have set?

I am using version 11.1 and keyword rule is used

One thing which i observed is when i go Sytems-->Server over view screen, in enforce there i was able to see incident count under column incident today, but i was not able to see any incident in incident report

is it 11.1.1 or 2?

is the network monitor service running? do you see incident in the log/

its 11.1.1 and network monitor service is running, but i am able to see Long message wait time in Recent events

can you post the logs? does restarung the network services help?

in detection_operational_0 log file, i was not able to see any incidents

Hi Naveen,

Currently How many incidents are showing in your console,

Check License Validity

Please check below folder is there showing any *.bad incidents.

G:\Vontu\Protect\incidents

11/May/12:14:17:40:953-0700 [INFO] (DETECTION.9) Detection initializing with the following Policies [11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [KEYWORD]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [REGEX]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DOCUMENTNAME]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DOCUMENTSIZE]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DOCUMENTTYPE]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [PROTOCOLTYPE]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [SENDER]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [RECIPIENT]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [CHANNEL]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DCMONLY]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [UNIVERSAL_METADATA]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [FILE_TYPE_SCRIPT]
11/May/12:14:17:40:968-0700 [INFO] (DETECTION.10) Enabled engine for condition type [MAPI_ATTRIBUTE]
11/May/12:14:17:41:187-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DOCUMENTPROFILE]
11/May/12:14:17:41:453-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DATABASEPROFILE]
11/May/12:14:17:41:453-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DIRECTORY_GROUP]
11/May/12:14:17:41:453-0700 [INFO] (DETECTION.10) Enabled engine for condition type [ENDPOINT_DEVICE]
11/May/12:14:17:41:671-0700 [INFO] (DATA_IDENTIFIER.103) [68] Data Identifiers have been deployed
11/May/12:14:17:41:671-0700 [INFO] (DETECTION.10) Enabled engine for condition type [DATAIDENTIFIER]
11/May/12:14:17:41:703-0700 [INFO] (DETECTION.10) Enabled engine for condition type [MACHINE_LEARNING]
11/May/12:14:17:45:984-0700 [INFO] (DETECTION.401) The Policy Incident limiter has been reset and all previously disabled Policies have been enabled. The limits will reset again in 24 hour(s) 0 ms
11/May/12:14:17:47:453-0700 [INFO] (DETECTION.300) Profile [4,545:SSN_Feed version 1,028] loaded successfully
11/May/12:14:17:47:609-0700 [INFO] (DETECTION.7) Started 8 Message Chain(s)
11/May/12:14:17:47:609-0700 [INFO] (DETECTION.2) Detection is now running
11/May/12:15:31:29:203-0700 [INFO] (DETECTION.4) Detection is shutting down
11/May/12:15:32:17:203-0700 [INFO] (DETECTION.500) Script engine CustomFileScriptEngine initialized
11/May/12:15:32:17:203-0700 [INFO] (DETECTION.500) Script engine CustomValidatorScriptEngine initialized
11/May/12:15:32:17:218-0700 [INFO] (DETECTION.1) Detection is starting
11/May/12:15:32:19:437-0700 [INFO] (DETECTION.8) Detection initializing with the following Channel(s) [Packet Capture,Copy Rule]
11/May/12:15:32:19:750-0700 [INFO] (DETECTION.5) Waiting for Detection Server configuration
11/May/12:15:32:19:906-0700 [INFO] (DETECTION.102) Updated the enabled Protocol(s) [protocol.name.SMTP,protocol.name.HTTP,protocol.name.FTP,FileSystem,LotusNotes,EndpointFileSystem,ExchangeScanner,SharePointScanner,FileSystemScanner,WebServerScanner,DocumentumScanner,LiveLinkScanner,WebServices,GenericScanner,SQLDatabase,ExchangeCrawler,SharePointCrawler,Classification Exchange]
11/May/12:15:32:20:796-0700 [INFO] (DETECTION.6) Received Detection Server configuration and Advanced Settings
11/May/12:15:32:22:593-0700 [INFO] (DETECTION.602) Content Extraction started. Host process path: [E:\Vontu\Protect\lib\native\ceh.exe], Plugin install dir: [E:\Vontu\Protect\plugins\contentextraction], Default plugin: [Verity], Default charset:[UTF-8], API log config file:[E:\Vontu\Protect\config\log4cxx_config_filereader.xml], Host log config file:[E:\Vontu\Protect\config\log4cxx_config_filereader.xml], Runaway timeout: [300], Suppress crash notification: [true]

Its showing 25 incidents and message wait time 12:36:47, there are no files in incident folder of Enforce

Can any body help me on this issue.

hi naveen

please check that when you try to view incident there is no filter set in your report (no date, no status, no other attribute).

Does account/profile used is able to view this type of incident (network) ? does role configuration give you the right to access these incidents (incident access set of parameter) ?

 At least, in my opinion if you see on server page that some incident was generated, your policy is not responsible for this problem. If incident are transmitted from monitor to enforce, network connection betwwen both seems ok too. If you perform normal installation of the system, encryption key should be ok between enforce and database. So it looks like a config problem which cause your issue.

 Does it work before ?

hi Stephane,

Thanks for you reply, you said config problem, please let me know how to troubleshoot this issue

do you use your own account (or default administrator account) ? with which profile ?