Endpoint Incidents are getting queued and the data is persisted after restarting the "Incident Persister" Service.
The following Errors are reported :
In Enforce summary :
Error: "Corrupted incident received".
Incident Persister.log provided the following information :
INFO | jvm 9 | 2011/08/24 14:57:20 | WrapperManager Error: Server daemon died!
INFO | jvm 9 | 2011/08/24 14:57:20 | WrapperManager Error: java.lang.OutOfMemoryError: GC overhead limit exceeded
INFO | jvm 9 | 2011/08/24 14:57:20 | WrapperManager: The timer fell behind the system clock by 2700ms.
INFO | jvm 9 | 2011/08/24 14:57:26 | WrapperManager: The timer fell behind the system clock by 9900ms.
INFO | jvm 9 | 2011/08/24 14:57:32 | WrapperManager: The timer fell behind the system clock by 5700ms.
ERROR | wrapper | 2011/08/24 14:57:47 | JVM appears hung: Timed out waiting for signal from JVM.
ERROR | wrapper | 2011/08/24 14:57:47 | JVM did not exit on request, terminated
STATUS | wrapper | 2011/08/24 14:57:52 | Launching a JVM...
INFO | jvm 10 | 2011/08/24 14:57:53 | WrapperManager: Initializing...
INFO | jvm 10 | 2011/08/24 15:01:48 | WrapperManager: The timer fell behind the system clock by 3400ms.
The Java process for persisting incidents crashed with an OOM event.
Increase the memory available to the Incident Persister.
C:\Program Files\Symantec\DataLossPrevention\EnforceServer\Services\
# Initial Java Heap Size (in MB) [default 512]
wrapper.java.initmemory=1024
# Maximum Java Heap Size (in MB) [default 1024]
wrapper.java.maxmemory=2048
Note : Make sure that to have enough physical memory on the Enforce and the Detection Servers when making the above changes. By default, the 4 DLP services on the Enforce Server take up a total of ~5 Gb of RAM.
Do not increase the memory beyond 31GB.
At 32GB you lose memory compression and it becomes counter-productive.
In most circumstances there are better ways to handle out of memory errors than increasing the memory beyond 31GB.