Incidents are getting queued and the data is getting persisted after restarting the "Incident Persister"
search cancel

Incidents are getting queued and the data is getting persisted after restarting the "Incident Persister"

book

Article ID: 160707

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce

Issue/Introduction

 

Endpoint Incidents are getting queued and the data is persisted after restarting the "Incident Persister" Service.

The following Errors are reported :

In Enforce summary :

Error: "Corrupted incident received".

 

Incident Persister.log provided the following information :

INFO   | jvm 9    | 2011/08/24 14:57:20 | WrapperManager Error: Server daemon died!
INFO   | jvm 9    | 2011/08/24 14:57:20 | WrapperManager Error: java.lang.OutOfMemoryError: GC overhead limit exceeded
INFO   | jvm 9    | 2011/08/24 14:57:20 | WrapperManager: The timer fell behind the system clock by 2700ms.
INFO   | jvm 9    | 2011/08/24 14:57:26 | WrapperManager: The timer fell behind the system clock by 9900ms.
INFO   | jvm 9    | 2011/08/24 14:57:32 | WrapperManager: The timer fell behind the system clock by 5700ms.
ERROR  | wrapper  | 2011/08/24 14:57:47 | JVM appears hung: Timed out waiting for signal from JVM.
ERROR  | wrapper  | 2011/08/24 14:57:47 | JVM did not exit on request, terminated
STATUS | wrapper  | 2011/08/24 14:57:52 | Launching a JVM...
INFO   | jvm 10   | 2011/08/24 14:57:53 | WrapperManager: Initializing...
INFO   | jvm 10   | 2011/08/24 15:01:48 | WrapperManager: The timer fell behind the system clock by 3400ms.

Cause

The Java process for persisting incidents crashed with an OOM event.

Resolution

Increase the memory available to the Incident Persister.

  1. Located in the following directory on Windows:
    C:\Program Files\Symantec\DataLossPrevention\EnforceServer\Services\
  2. Modifying the following lines in the file SymantecDLPIncidentPersister.conf:
    # Initial Java Heap Size (in MB) [default 512]
    wrapper.java.initmemory=1024

    # Maximum Java Heap Size (in MB) [default 1024]
    wrapper.java.maxmemory=2048
  3. Restart the SymantecDLPIncidentPersister service.

 

Note : Make sure that to have enough physical memory on the Enforce and the Detection Servers when making the above changes. By default, the 4 DLP services on the Enforce Server take up a total of ~5 Gb of RAM.

 


Do not increase the memory beyond 31GB.
At 32GB you lose memory compression and it becomes counter-productive.
In most circumstances there are better ways to handle out of memory errors than increasing the memory beyond 31GB.