Incident queue continues to backup with a backlog of over 1000 incidents.
DLP Enforce - on versions prior to 14.6.
Occasionally the incident queue will back up on the Enforce server.
On versions prior to 14.6, there is a hard coded limit where the incident persister process will only process 1000 incidents in the backlog at a time for each recycle of the service. If the backlog gets larger than 1000 incidents, then a recycle of the VontuIncidentPersister service on the Enforce server is required to process the incidents.
If there are multiple thousands of incidents in the backlog, then the VontuIncidentPersister service needs to be recycled several times until the backlog gets below 1000.
On versions prior to 14.6, it is necessary to recycle the VontuIncidentPersister service on Enforce, to allow the incident persister to process 1000 incidents at a time.
Recycle the service again until there are less than 1000 incidents backed up in the queue.
If a large number of incidents are present, requiring many restarts, it is recommended to automate the restarts, such as with a cron job or batch file. Depending on your environment, you may need to give the service 10 minutes or more to recycle and process the incidents. Automation within your environment is beyond the scope of Symantec Technical Support.
In DLP version 14.6, most backlogged incidents will be automatically processed.
If the issue continues to persist, however, please contact technical support for further investigation.
Etrack 3975761 documents the fix in 14.6.
Subscribing will provide email updates when this Article is updated. Login is required.