The File Collector component of DCS/CSP IDS is exiting unexpectedly.

FWC_0008: File collector queue is full. Events were lost. Increase the queue size or limit the number of files to watch to avoid losing events.

UT_0035: Unexpected error occurred while running thread: FileInitThread

This issue is seen to occur when the File Collector has been configured to scan a very large number of files. For example when a mapped drive is added to the file watch list and wildcards are used to scan multiple files.

DCS/CSP is not intended for use as a remote file integrity scanner. Symantec recommends a maximum of 20,000 watched files if the diff and checksum options are enabled.

If these functions are not enabled, a considerably higher number of files can be scanned, but the absolute limit depends on available resources and file size. The number of files scanned should be tuned accordingly and logs should be monitored for resource usage to ensure that the file collector does not run out of memory.
 

1. Reduce the File Collector file list so that the list of watch files does not exceed 50,000.
2. Set the IDS polling intervals to a minimum of 5 minutes to ensure adequate time to scan files between polling's.
3. Ensure Filewatch diff and checksum are not enabled (checksum is not enabled currently).
4. Monitor for a reoccurrence of the UT_0035 error.
5. If the UT_0035 error does not reoccur, the number of files scanned can be gradually increased.
6. If the FWC_0008 occurs, a workaround is to increase the File Collector queue buffer in the localagent.ini (see below).

The File Collector Queue size is set in the LocalAgent.ini file, and can be increased if necessary. The default size is 5000. Once each event is written to the log, it is flushed from the queue. I would advise increasing the queue size in the LocalAgent.ini to 8000 and monitoring the logs to see if the FWC_0008 issue reoccurs. There is also a FWC_0007 error that will indicate that the log has exceeded 80% of the assigned limit. If this limit is insufficient, it can be further raised until a suitable level is arrived at up to the 20,000 limit.