Events are forwarded three times to Syslog receivers
Last Modified: 3/27/2023
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Events are forwarded three times to Syslog receivers
Technical Articles ID:
KB95785
Last Modified: 3/27/2023 Environment
ePolicy Orchestrator (ePO) 5.10.x CU13
Problem
When ePO is configured to forward events to a syslog receiver, three copies of each event are forwarded. If debug logging (log level 8) is enabled on the ePO server, you see messages similar to the following recorded in the 20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(312): SSL_CB_HANDSHAKE_START 20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1 20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP 20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(291): SIO_getsockopt(2276, SO_RCVTIMEO ) returned 0, value=10000 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(291): SIO_getsockopt(2276, SO_RCVTIMEO ) returned 0, value=10000 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(291): SIO_getsockopt(2276, SO_RCVTIMEO ) returned 0, value=10000 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00000020, ret = 1 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(317*): SSL_CB_HANDSHAKE_DONE* 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(323): SIO_setsockopt(2276, SO_RCVTIMEO, 0 ) returned 0 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001002, ret = 1 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(197): ** Handshake success* 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(241): Peer cert chain count: 1 ============================================================================================================== 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(409): Wrote 3201 SSL bytes, trying to write 3201 bytes to 10.10.10.100:6514 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(151): Using cached connection for 10.10.10.100:6514 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(409): Wrote 3201 SSL bytes, trying to write 3201 bytes to 10.10.10.100:6514 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(151): Using cached connection for 10.10.10.100:6514 20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(409): Wrote 3201 SSL bytes, trying to write 3201 bytes to 10.10.10.100:6514 ============================================================================================================== The important part here is the same number of bytes are written three times to the same IP address in rapid succession. In the syslog system, three identical copies of the same event are recorded. Cause
An error in the event-forwarding retry loop causes the same event to be forwarded multiple times.
Solution
This issue is resolved in ePO 5.10.0 Update 14, which is available from either the Software Catalog or the Product Downloads site. NOTE: You need a valid Grant Number to access the update. To view other known and resolved issues, see KB90382 - ePolicy Orchestrator 5.10.x Known Issues. Affected ProductsLanguages:This article is available in the following languages: |
|