Due to varied cicumstances, the 'incidents' directory on a RedHat Data Loss Prevention Enforce server may become filled with queued incidents modified with the .bad extension. This extenstion signifies a failure of Data Loss Prevention to process the incidents (for any number of reasons). Through troubleshooting, it may become advantageous to attempt the re-processing of the '.bad' incidents. To fully realize this goal, an administrator may need to change a large quanitity of incidents back to '.idc'.
The attached script (resetIDC.sh) will allow for a large-scale change of '.bad' extensions to '.idc'. To implement the script, follow these instructions:
Download the script and move it into the /var/SymantecDLP/incidents/ directory on the Enforce server. This path may vary depending on the installation.
Ensure correct permissions on the script exist to allow execution by the root or protect user.
Run the script as follows: './resetIDC.sh'
The script may take some time to run. If too many incidents are added back into the environment, restarting IncidentPersister may be necessary to process batches of the re-processing incidents. If incidents are still actively being changed to '.bad', address whatever outstanding issue still exists in the environment before attempting a bulk extension change again.
Subscribing will provide email updates when this Article is updated. Login is required.