DLP Incidents Written to Traffic Log but Missing from Reports
- Article Number: 000016059
- Products: Data Security, Forcepoint DLP, TRITON AP-DATA
- Version: 8.7, 8.6, 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8
- Last Published Date: June 19, 2020
When the Traffic Log is filtered for incidents, entries for DLP agents such as the WCG or ESG will show. However, when checking the DLP reports, there are no corresponding incidents. Incident insertion is happening for some agents, but there are some missing incidents.
For DLP versions 8.2 and above check the dbs.all log under the %JETTY_HOME%service-container\container\logs\dbs folder.
Older versions will be under the %DSS_HOME%tomcat\logs\dlp\dlp.all folder.
"2018-06-19 13:22:53,639 [org.springframework.jms.listener.DefaultMessageListenerContainer#0-2] ERROR com.websense.server.event.applicationservice.EventServicesApplicationServiceImpl - validateBulkInsertIncidents - Failed to insert event. Cannot find Policy Engine with hostname: xxxxxxxxxxxxxxxxxxxxxx. Event id is: xxxxxxxxxxxxxxxxxx"
The source of the issue may be that the component was registered with a hostname that differs with what the component is currently using, and thus the incidents cannot be inserted.
The simplest resolution to this issue is to delete the entries from System Modules, then reregister the components to Forcepoint DLP.
If there continue to be issues, please open a case with Technical Support, refer to this article number, and attach the logs mentioned above.
Keywords: DLP Data Security Manager; Deployment Issue; WCG Content Gateway Issue; ESG Email Security Issue; Protector Issue; Web UI Issue; DLP Console Not Working; Deployment Error; Missing Incident; Incident Insertion; Incident Backlog