Event filtering setting not honored when using the option 'Forward to Syslog'
Last Modified: 2022-04-04 04:49:57 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Event filtering setting not honored when using the option 'Forward to Syslog'
Technical Articles ID:
KB95443
Last Modified: 2022-04-04 04:49:57 Etc/GMT Environment
ePolicy Orchestrator (ePO) 5.10.0 Update 1 and later
Problem
Event filtering isn't honored when you select the option to only Forward to Syslog. When you want to forward a specific Event ID to only a Registered Syslog receiver, the Event ID is sent to both the ePO Database and Syslog receiver. Events recorded in the Event Parser Logs: I #06344 EVNTPRSR Succeeded <EPOEvent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\2fc70143-abcc-4313-966a-5cd8580016e0-mc_202203162326344159867000019E0.xml. X #06280 EVNTPRSR source\SyslogForwarder.cpp(373): Found cached work item data for tenant 1: bpsid=1, guid={CB2D518E-D360-477A-9822-F22EA99F71A4}, nodepath=1\2 X #06280 MFEFIPS mfefips_SSLSubSys.cpp(160): Creating new connection for x.x.x.x:6514 I #06280 MFEFIPS Trying handshake for x.x.x.x:6514... X #06280 MFEFIPS mfefips_SSLSubSys.cpp(394): Wrote 1350 SSL bytes, trying to write 1350 bytes to x.x.x.x:6514 SolutionWe investigated this issue and a Proof of Concept (POC) Build is currently available to resolve the issue. To obtain the POC Build, log on to the ServicePortal and create a Service Request. Include this article number in the Problem Description field.
Affected ProductsLanguages:This article is available in the following languages: |
|