DLP Web Archive fails with over 10000 incidents. Error 2404
search cancel

DLP Web Archive fails with over 10000 incidents. Error 2404

book

Article ID: 164291

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce

Issue/Introduction

When attempting to create a web archive that has more than 10000 incidents, it creates the directory tree on disk but immediately completes without extracting any incidents.

The following error is displayed on the "incident_list.html".

The incident list is too big to display as it contains more than 10,000 incidents.

<event type="system_overview.event.level.Severe" severityID="3" id="13224515" code="2402"><time>1478613759222</time><server></server><message>Export web archive failed</message></event>

Environment

DLP 15.x

DLP 16.0

Cause

In DLP maximum number of incidents in a report exported using the Web Archiver is by default set to 10000, this limit can be changed depending on server CPU and RAM using a configuration file. 

Resolution

DLP 16.0 MP2 HF1, 16.0 RU

On 16.0 MP2 HF1 and above, to export more than 10,000 incidents, go to:

Windows: <drive>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config\Enforce.properties

Linux:  /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/config/Enforce.properties

And increase to value in the following setting: com.vontu.manager.restapi.incidentlist.max_incidents_threshold

DLP 15.x

On the Enforce server locate the "Manager.properties" located at "<Install Drive>/Symantec/DataLossPrevention/EnforceServer\15.x./Protect/config/Manager.properties"  and adjust the following settings:

#Incident caps to protect against out of memory problems

#The maximum number of incidents that may be displayed when clicking show all on an incident list page

com.vontu.manager.maxshowallincidents = 10000

#The maximum number of incidents allowed in a report exported using the Web Archiver

com.vontu.manager.maxwebarchiveincidents = 10000

#The maximum number of incidents allowed in a report exported through an Auto report email by data owner

com.vontu.manager.maxautodistributionincidents = 10000

Restart the Symantec DLP Manager service and retry the archive.

 

Additional Information

In 16.0 GA - 16.0 MP2, the export function was hard-coded, so that any changes to the Enforce.properties file did not have the intended effect.

Thus, upgrading to 16.0 MP2 HF1 or 16.0 RU1 is required to enable this setting successfully.

 

Powered by Wolken Software