DLP Endpoint agent not creating incidents when using a custom data identifier
Last Updated April 26, 2019
Symantec Data Loss (DLP) Endpoint Agents are not generating incidents for policies you have configured with a custom data identifier.
01/01/2013 12:00:00 | 1234 | INFO | MessageLogger | MESSAGETYPE_DETECTION_RESULT MESSAGESOURCE_DETECTION 01/01/2013 12:00:00 [req#123 FAILURE <\b> is not a valid letter for index no incidents]
The custom data identifier you are using contains an invalid regular expression element.
The DLP custom data identifier language uses a subset of the regular expression command set and not all valid regex elements are supported. Note that the exact text in the log varies, however, the portion of the log entry following "req#nnn FAILURE" indicates the issue. In the log example above, you can see the character enclosed in angle brackets, <\b>, represent the expression element that is invalid.
To resolve the problem, check all custom data identifiers that are used in your policies, to ensure you remove anything that is causing the error or is unsupported.
For additional information refer to the following articles: