The errors below are recorded in the
EPOAPSVR_systemname.log (
<ePO installed folder>\DB\logs) file:
20220621154253 I #09944 EVNTPRSR Loading syslog receiver list
20220621154253 I #07564 EVNTPRSR Event listener started.
20220621154253 X #09944 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
20220621154253 I #09944 EVNTPRSR Found '10.10.10.100:6514'
20220621154253 I #09944 EVNTPRSR Loaded 1 receivers
20220621154253 I #12616 EVNTPRSR Syslog thread starting
20220621154254 X #10208 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
20220621154254 I #10208 PLUGNMGR Loading: C:\PROGRA~2\MCAFEE\EPOLIC~1\DB\PLUGIN\EPOSRV__4000\EPOEVENTS.18426.DLL
20220621154254 I #10208 PLUGNMGR Loaded: C:\PROGRA~2\MCAFEE\EPOLIC~1\DB\PLUGIN\EPOSRV__4000\EPOEVENTS.18426.DLL
20220621154254 X #10208 EVNTPRSR source\server.cpp(1357): Processing <EPOEvent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\8c6698cd-76f0-42fd-8218-399c792ec737-mc_2022062115232642078110008A262.xml.
20220621154256 X #13300 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
20220621154256 X #13300 EVNTPRSR source\SyslogForwarder.cpp(322): Querying database for work item data for tenant 1
20220621154256 X #13300 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
20220621154256 X #13300 EVNTPRSR source\SyslogForwarder.cpp(354): Caching work item data tenant 1 : bpsid=1, guid={00000000-0000-0000-0000-000000000000}, nodepath=1\2
20220621154256 X #13300 EVNTPRSR source\SyslogForwarder.cpp(378): Consruct new work item for tenant 1: bpsid=1, guid={00000000-0000-0000-0000-000000000000}, nodepath=1\2
20220621154256 X #09136 EVNTPRSR source\SyslogForwarder.cpp(373): Found cached work item data for tenant 1: bpsid=1, guid={00000000-0000-0000-0000-000000000000}, nodepath=1\2
20220621154256 X #09136 MFEFIPS mfefips_SSLSubSys.cpp(402): Failed to find/create SSL connection to 10.10.10.100:6514
20220621154256 E #09136 EVNTPRSR source\SyslogForwarder.cpp(138): Failed to send data to syslog receiver: 10.10.10.100:6514
20220621154256 X #09136 MFEFIPS mfefips_SSLSubSys.cpp(412): Discarding cached connections for 10.10.10.100:6514
20220621154256 W #09136 MFEFIPS Ignoring host 10.10.10.100:6514 for 2 minutes
20220621154256 X #07308 EVNTPRSR source\SyslogForwarder.cpp(373): Found cached work item data for tenant 1: bpsid=1, guid={00000000-0000-0000-0000-000000000000}, nodepath=1\2
20220621154256 X #07308 EVNTPRSR source\SyslogForwarder.cpp(378): Consruct new work item for tenant 1: bpsid=1, guid={00000000-0000-0000-0000-000000000000}, nodepath=1\2
20220621154256 X #13208 EVNTPRSR source\SyslogForwarder.cpp(378): Consruct new work item for tenant 1: bpsid=1, guid={00000000-0000-0000-0000-000000000000}, nodepath=1\2
20220621154256 X #12416 EPOEVENTS epoevents_dao.cpp(324): Events AutoID 5195910
20220621154256 X #12416 EPOEVENTS epoevents_dao.cpp(243): Event insert command INSERT INTO [EPExtendedEventMT]([AccessRequested],[AMCoreContentVersion],[AnalyzerContentCreationDate],[AnalyzerGTIQuery],[AttackVectorType],[BladeName],[Cleanable],[DurationBeforeDetection],[FirstActionStatus],[FirstAttemptedAction],[NaturalLangDescription],[SecondActionStatus],[SecondAttemptedAction],[TargetAccessTime],[TargetCreateTime],[TargetFileSize],[TargetHash],[TargetModifyTime],[TargetName],[TargetPath],[TaskName],[ThreatDetectedOnCreation],[EventAutoID])
20220621154256 X #12416 EPOEVENTS VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);
20220621154256 I #12416 EVNTPRSR Succeeded <EPOevent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\0833b8c0-3cbf-4596-87fa-6a95ff4f0c87-mc_20220621154111537574000001A98.txml.
20220621154256 X #12416 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
20220621154256 X #12416 EVNTPRSR source\SyslogForwarder.cpp(373): Found cached work item data for tenant 1: bpsid=1, guid={00000000-0000-0000-0000-000000000000}, nodepath=1\2
20220621154256 X #12416 EVNTPRSR source\SyslogForwarder.cpp(378): Consruct new work item for tenant 1: bpsid=1, guid={00000000-0000-0000-0000-000000000000}, nodepath=1\2
NOTE: The succeeded entry indicates that the events are parsed to the ePO database but fail to parse to the Syslog server.