When ePO is configured to forward events to a syslog receiver, three copies of each event are forwarded.
If debug logging (log level 8) is enabled on the ePO server, you see messages similar to the following recorded in the
EventParser_systemname.log (
<ePO installed folder>\DB\logs) file:
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00000010, ret = 1
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(312): SSL_CB_HANDSHAKE_START
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(291): SIO_getsockopt(2276, SO_RCVTIMEO ) returned 0, value=10000
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(291): SIO_getsockopt(2276, SO_RCVTIMEO ) returned 0, value=10000
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(291): SIO_getsockopt(2276, SO_RCVTIMEO ) returned 0, value=10000
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00000020, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(317*): SSL_CB_HANDSHAKE_DONE*
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(323): SIO_setsockopt(2276, SO_RCVTIMEO, 0 ) returned 0
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001002, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(197): ** Handshake success*
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(241): Peer cert chain count: 1
==============================================================================================================
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(409): Wrote 3201 SSL bytes, trying to write 3201 bytes to 10.10.10.100:6514
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(151): Using cached connection for 10.10.10.100:6514
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(409): Wrote 3201 SSL bytes, trying to write 3201 bytes to 10.10.10.100:6514
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(151): Using cached connection for 10.10.10.100:6514
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(409): Wrote 3201 SSL bytes, trying to write 3201 bytes to 10.10.10.100:6514
==============================================================================================================
The important part here is the same number of bytes are written three times to the same IP address in rapid succession. In the syslog system, three identical copies of the same event are recorded.