当 ePO 配置为将事件转发到 syslog 接收器时,会转发每个事件的三个副本。
如果在 ePO 服务器上启用调试日志记录(日志级别8),则会看到类似于(
<ePO installed folder>\DB\logs )文件中
EventParser_systemname.log 记录的以下消息:
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00000010, ret = 1
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(312): SSL_CB_HANDSHAKE_START
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP
20220614112238 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(291): SIO_getsockopt(2276, SO_RCVTIMEO ) returned 0, value=10000
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(291): SIO_getsockopt(2276, SO_RCVTIMEO ) returned 0, value=10000
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001001, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(282): SSL_CB_CONNECT_LOOP
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(291): SIO_getsockopt(2276, SO_RCVTIMEO ) returned 0, value=10000
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00000020, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(317*): SSL_CB_HANDSHAKE_DONE*
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(323): SIO_setsockopt(2276, SO_RCVTIMEO, 0 ) returned 0
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(274): SSL callback, where = 0x00001002, ret = 1
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(197): ** Handshake success*
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(241): Peer cert chain count: 1
==============================================================================================================
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(409): Wrote 3201 SSL bytes, trying to write 3201 bytes to 10.10.10.100:6514
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(151): Using cached connection for 10.10.10.100:6514
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(409): Wrote 3201 SSL bytes, trying to write 3201 bytes to 10.10.10.100:6514
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(151): Using cached connection for 10.10.10.100:6514
20220614112239 X #04980 MFEFIPS mfefips_SSLSubSys.cpp(409): Wrote 3201 SSL bytes, trying to write 3201 bytes to 10.10.10.100:6514
==============================================================================================================
The important part here is the same number of bytes are written three times to the same IP address in rapid succession. In the syslog system, three identical copies of the same event are recorded.