SEC Messages

SEC-1033

Message: Invalid character used in member parameter to add switch to SCC policy; command terminated.

Message Type:LOG

Severity:ERROR

Probable Cause: Indicates that a member parameter in the secpolicy defined-policy command is invalid (for example, it may include an invalid character, such as an asterisk). A valid switch identifier (WWN, or switch name) must be provided as a member parameter in the secpolicy defined-policy command.

Recommended Action: Execute the secpolicy defined-policy command using a valid switch identifier (WWN, or switch name) to add specific switches to the switch connection control (SCC) policy.

SEC-1034

Message: Invalid member <policy member>.

Message Type:LOG

Severity:ERROR

Probable Cause: Indicates that the input list has an invalid member.

Recommended Action: Verify the member names and input the correct information.

SEC-1036

Message: Device name <device name> is invalid due to a missing colon.

Message Type:LOG

Severity:ERROR

Probable Cause: Indicates that one or more device names mentioned in the secpolicy defined-policy command does not have the colon character (:).

Recommended Action: Execute the secpolicy defined-policy command with a properly formatted device name parameter.

SEC-1037

Message: Invalid WWN format <invalid WWN>.

Message Type:LOG

Severity:ERROR

Probable Cause:Indicates that the World Wide Name (WWN) entered in the policy member list had an invalid format.

Recommended Action: Execute the command again using the standard WWN format, that is, 16 hexadecimal digits grouped as eight colon separated pairs. For example: 50:06:04:81:D6:F3:45:42.

SEC-1044

Message: Duplicate member <member ID> in (<List>).

Message Type:LOG

Severity:ERROR

Probable Cause: Indicates that the specified member is a duplicate in the input list. The list can be a policy list or a switch member list.

Recommended Action: Do not specify any duplicate members.

SEC-1071

Message: No new security policy data to apply.

Message Type:LOG

Severity:ERROR

Probable Cause: Indicates that there are no changes in the defined security policy database to be activated.

Recommended Action: Verify that the security event was planned. Change some policy definitions and execute the secpolicy activate command to activate the policies.

SEC-1180

Message: Added account <user name> with <role name> authorization.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that the specified new account has been created.

Recommended Action: No action is required.

SEC-1181

Message: Deleted account <user name>.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that the specified account has been deleted.

Recommended Action: No action is required.

SEC-1184

Message: <configuration> configuration change, action <action>, server ID <server>, VRF <vrf>.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that the specified action is applied to remote AAA (RADIUS/TACACS+) server configuration. The possible actions are ADD, REMOVE, CHANGE, and MOVE.

Recommended Action: No action is required.

SEC-1185

Message: <action> switch DB.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that the switch database was enabled or disabled as the secondary authentication, authorization, and accounting (AAA) mechanism when the remote authentication dial-in user service (RADIUS) or Lightweight Directory Access Protocol (LDAP) is the primary AAA mechanism.

Recommended Action: No action is required.

SEC-1187

Message: Security violation: Unauthorized switch <switch WWN> tries to join fabric.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that a switch connection control (SCC) security violation was reported. The specified unauthorized switch attempts to join the fabric.

Recommended Action: Check the switch connection control policy (SCC) policy to verify the switches are allowed in the fabric. If the switch should be allowed in the fabric but it is not included in the SCC policy, add the switch to the policy using the secpolicy defined-policy scc_policy member-entry command. If the switch is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.

SEC-1189

Message: Security violation: Unauthorized host with IP address <IP address> tries to do SNMP write operation.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that a Simple Network Management Protocol (SNMP) security violation was reported. The specified unauthorized host attempted to perform an SNMP write operation.

Recommended Action: Check the WSNMP policy (read/write SNMP policy) and verify which hosts are allowed access to the fabric through SNMP. If the host is allowed access to the fabric but is not included in the policy, add the host to the policy.

If the host is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.

SEC-1190

Message: Security violation: Unauthorized host with IP address <IP address> tries to do SNMP read operation.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that a Simple Network Management Protocol (SNMP) security violation was reported. The specified unauthorized host attempted to perform an SNMP read operation.

Recommended Action: Check the RSNMP policy (read-only SNMP policy) to verify the hosts that are allowed access to the fabric through SNMP read operations are included in the RSNMP policy. If the host is allowed access but is not included in the RSNMP policy, add the host to the policy. If the host is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.

SEC-1191

Message: Security violation: Unauthorized host with IP address <Ip address> tries to establish HTTP connection.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that a Hypertext Transfer Protocol (HTTP) security violation was reported. The specified unauthorized host attempted to establish an HTTP connection.

Recommended Action: Determine whether the host IP address specified in the message can be used to manage the fabric through an HTTP connection. If so, add the host IP address to the HTTP policy of the fabric. If the host is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.

SEC-1192

Message: Security violation: Login failure attempt via <connection method>.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that a serial or modem login security violation was reported. An incorrect password was used while trying to log in through a serial or modem connection; the log in failed.

Recommended Action: Use the correct password.

SEC-1193

Message: Security violation: Login failure attempt via <connection method>. IP Addr: <IP address>.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that a login security violation was reported. The wrong password was used while trying to log in through the specified connection method; the log in failed. The violating IP address is displayed in the message.

Recommended Action: Verify that the specified IP address is being used by a valid switch administrator. Use the correct password.

SEC-1197

Message: Changed account <user name>.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that the specified account has changed.

Recommended Action: No action is required.

SEC-1199

Message: Security violation: Unauthorized access to serial port of switch <switch instance>.

Message Type:LOG

Severity:INFO

Probable Cause: Indicates that a serial connection policy security violation was reported. An attempt was made to access the serial console on the specified switch instance when it is disabled.

Recommended Action:Check to see if an authorized access attempt was made on the console. If so, add the switch World Wide Name (WWN) to the serial policy using the secpolicy defined-policy scc_policy member-entry command. If the host is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.

SEC-1203

Message: Login information: Login successful via TELNET/SSH/RSH. IP Addr: <IP address>.

Message Type: LOG

Severity:INFO

Probable Cause:Indicates that the remote log in of the specified IP address was successful.

Recommended Action: No action is required.

SEC-1204

Message: Root access mode is configured to <Mode>.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the root access mode is changed.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-1205

Message: Login information: User [<User>] Last Successful Login Time : <last_successful_login_time> and Fail count : <fail_count>.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates the last successful login time and the failed attempt count for the specified user.

Recommended Action: No action is required.

SEC-1206

Message: Login information: User [<User>] Last Successful Login Time : <last_successful_login_time>.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates the last successful login time for the specified user.

Recommended Action: No action is required.

SEC-1307

Message: <RADIUS/TACACS+/LDAP server identity> server <server> authenticated user account '<username>'.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the specified AAA (RADIUS/TACACS+/LDAP) server responded to a switch request after some servers timed out.

Recommended Action:If the message appears frequently, reconfigure the list of servers so that the responding server is the first server on the list.

SEC-1308

Message: All <RADIUS/TACACS+/LDAP server identity> servers failed to authenticate user account '<username>'.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that all servers in the remote AAA (RADIUS/TACACS+/LDAP) service configuration have failed to respond to a switch request within the configured timeout period.

Recommended Action: Verify that the switch has proper network connectivity to the specified AAA (RADIUS/TACACS+/LDAP) servers and the servers are correctly configured.

SEC-1312

Message: passwdcfg params changed as (<changed param>:<old value> -> <new value>).

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the password attributes have been changed.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-1313

Message: The password attributes parameters were set to default values.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the password attributes were set to default values.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required.If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-1325

Message: Security enforcement: Switch <switch WWN> connecting to port <Port number> is not authorized to stay in fabric.

Message Type:LOG

Severity:ERROR

Probable Cause: Indicates that the specified switch is being disabled on the specified port because of a switch connection control (SCC) policy violation.

Recommended Action: No action is required unless the switch must remain in the fabric. If the switch must remain in the fabric, add the switch World Wide Name (WWN) to the SCC policy using the secpolicy defined-policy scc_policy member-entry command, then attempt to join the switch with the fabric.

SEC-1329

Message: IPFilter enforcement:Failed to enforce ipfilter policy of <Policy Type> type because of <Error code>.

Message Type:LOG

Severity:ERROR

Probable Cause: Indicates that the IP filter policy enforcement failed because of an internal system failure.

Recommended Action: Execute the copy support command and contact your switch service provider.

SEC-1334

Message: local security policy <Event name>.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the specified event has occurred.

Recommended Action:Verify that the event was planned. If the event was planned, no action is required. If the event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-1335

Message: local security policy <Event name> WWN <Member WWN>.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the specified event has occurred.

Recommended Action: Verify that the event was planned. If the event was planned, no action is required. If the event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-1336

Message: Missing file <file name> is replaced with default configuration.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the specified file is missing and it has been replaced with the default file.

Recommended Action: No action is required.

SEC-1337

Message: Failed to access file <file name> and reverted the configuration.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the specified file was not accessible.

Recommended Action: No action is required.

SEC-1338

Message: Accounting message queue 90 percent full, some messages may be dropped.

Message Type:LOG

Severity:WARNING

Probable Cause: Cause Indicates that the server is unreachable.

Recommended Action:No action is required.

SEC-1339

Message: Accounting message queue within limits all messages will be processed.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the server is now reachable.

Recommended Action: No action is required.

SEC-1340

Message: All TACACS+ servers failed to account user activity. Status is <return_status>

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the accounting has failed

Recommended Action: Check secret key value.

SEC-1341

Message: Security violation: Login failure attempt outside the access time via <connection method>.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that a serial or modem login security violation was reported. User attempted to login outside the access time window through the specified connection method; the log in failed.

Recommended Action: Verify the login access time for the user. If needed update the access time as required.

SEC-1342

Message: Security violation: Login failure attempt outside access time by user [<user>] via <connection method>. IP Addr: <IP address>.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that a login security violation was reported. User attempted to login outside the access time window through the specified connection method; the log in failed.

Recommended Action: Verify the login access time for the user. If needed update the access time as required.

SEC-1343

Message: All RADIUS servers failed to account user activity. Status is <return_status>.

Message Type:LOG

Severity: INFO

Probable Cause: Indicates that the accounting has failed.

Recommended Action: Check secret key value.

SEC-3014

Message: Event: <Event Name>, Status: success, Info: <Event related info> <Event option> server <Server Name> vrf <VRF> for AAA services.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the AAA (RADIUS/TACACS+) server configuration has been changed manually.

Recommended Action:Verify that the RADIUS/TACACS+ configuration was changed intentionally. If the RADIU/TACACS+ configuration was changed intentionally, no action is required. If the RADIUS/TACACS+ configuration was not changed intentionally, take appropriate action as defined by your enterprise security policy.

SEC-3016

Message: Event: <Event Name>, Status: success, Info: Attribute [<Attribute Name>] of <Attribute related info> server <server ID> vrf <VRF> changed <Attribute related info, if any>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified attribute of the remote AAA (RADIUS/TACACS+) server has been changed manually.

Recommended Action: Verify that the attribute was changed intentionally. If the attribute was changed intentionally, no action is required. If the attribute was not changed intentionally, take appropriate action as defined by your enterprise security policy.

SEC-3018

Message: Event: <Event Name>, Status: success, Info: Parameter [<Parameter Name>] changed from <Old to New Value>.

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified password attribute has been changed.

Recommended Action:Verify that the password attribute was changed intentionally. If the password attribute was changed intentionally, no action is required. If the password attribute was not changed intentionally, take appropriate action as defined by your enterprise security policy.

SEC-3019

Message: Event: <Event Name>, Status: success, Info: Password attributes set to default values.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the password attributes are set to default values.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3020

Message: Event: <Event Name>, Status: success, Info: Successful login attempt via <connection method and IP Address>.

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the log in was successful. An IP address is displayed when the login occurs over a remote connection.

Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3021

Message: Event: <Event Name>, Status: failed, Info: Failed login attempt through <connection method and IP Address>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the log in attempt has failed.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3022

Message: Event: <Event Name>, Status: success, Info: Successful logout by user [<User>].

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified user has successfully logged out.

Recommended Action: No action is required.

SEC-3023

Message: Event: <Event Name>, Status: failed, Info: Account [<User>] locked, failed password attempts exceeded.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the number of failed log in attempts due to incorrect password has exceeded the allowed limit; the account has been locked.

Recommended Action: The administrator can manually unlock the account.

SEC-3024

Message: Event: <Event Name>, Status: success, Info: User account [<User Name>], password changed.

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the password was changed for the specified user.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3025

Message: Event: <Event Name>, Status: success, Info: User account [<User Name>] added. Role: [<Role Type>], Password [<Password Expired or not>], Home Context [<Home AD>], AD/VF list [<AD membership List>].

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that a new user account was created.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3026

Message: Event: <Event Name>, Status: success, Info: User account [<User Name>], role changed from [<Old Role Type>] to [<New Role Type>].

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the user account role has been changed.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3027

Message: Event: <Event Name>, Status: success, Info: User account [<User Name>] [<Changed Attributes>].

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the user account properties were changed.

Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3028

Message: Event: <Event Name>, Status: success, Info: User account [<User Name>] deleted.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified user account has been deleted.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3030

Message: Event: <Event Name>, Status: success, Info: <Event Specific Info>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the certificate authority (CA) certificate was imported successfully using the certutil import ldapca command.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3034

Message: Event: AAA Authentication Login Mode Configuration, Status: success, Info: Authentication configuration changed from <Previous Mode> to <Current Mode>.

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the authentication configuration has been changed.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3035

Message: Event: ipfilter, Status: success, Info: <IP Filter Policy> ipfilter policy(ies) saved.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified IP filter policies have been saved.

Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3036

Message: Event: ipfilter, Status: failed, Info: Failed to save changes for <IP Filter Policy> ipfilter policy(s).

Message Type: AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified IP filter policies have not been saved.

Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3037

Message: Event: ipfilter, Status: success, Info: <IP Filter Policy> ipfilter policy activated.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified IP filter policy has been activated.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3038

Message: Event: ipfilter, Status: failed, Info: Failed to activate <IP Filter Policy> ipfilter policy.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified IP filter policy failed to activate.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3039

Message: Event:Security Violation , Status: failed, Info: Unauthorized host with IP address <IP address of the violating host> tries to establish connection using <Protocol Connection Type>.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that a security violation was reported. The IP address of the unauthorized host is displayed in the message.

Recommended Action: Check for unauthorized access to the switch through the specified protocol connection.

SEC-3045

Message: Zeroization has been executed on the system.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the system has been zeroized.

Recommended Action: Verify the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3046

Message: The FIPS Self Tests mode has been set to <Self Test Mode>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that there was a change in the Federal Information Protection Standard (FIPS) self test mode.

Recommended Action: Verify the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3049

Message: Status of bootprom access is changed using prom-access disable CLI: <Access Status>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the status of Boot PROM has changed using prom-access disable command. By default, the Boot PROM is accessible.

Recommended Action: No action is required.

SEC-3051

Message: The license key <Key> is <Action>.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified license key has been added or removed.

Recommended Action: No action is required.

SEC-3061

Message: Role '<Role Name>' is created.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified role has been created.

Recommended Action: No action is required.

SEC-3062

Message: Role '<Role Name>' is deleted.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified role has been deleted.

Recommended Action: No action is required.

SEC-3067

Message: Event: <Event Name>, Status: success, Info: Telnet Server is shutdown.

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Telnet server in the switch is shut down.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3068

Message: Event: <Event Name>, Status: success, Info: Telnet Server is started.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Telnet server in the switch is started.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3069

Message: Event: <Event Name>, Status: success, Info: SSH Server is shutdown.

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server in the switch is shut down.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3070

Message: Event: <Event Name>, Status: success, Info: SSH Server is started.

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server in the switch is started.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3071

Message: Event: <Event Name>, Status: success, Info: SSH Server Key Exchange Algorithm is configured to DH Group 14.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server key exchange algorithm is configured to DH group 14.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3072

Message: Event: <Event Name>, Status: success, Info: SSH Server Key Exchange Algorithm is restored to default.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server key exchange algorithm is restored to default.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3073

Message: Event: <Event Name>, Status: success, Info: Login banner message is set to '<Banner>'.

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the login banner message is set.

Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3074

Message: Event: <Event Name>, Status: success, Info: Login banner message is removed.

Message Type: AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the login banner message is removed.

Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3075

Message: Event: <Event Name>, Status: success, Info: '<Type of cipher (LDAP/SSH)>' cipher list is configured.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified Lightweight Directory Access Protocol (LDAP) or SSH cipher list is configured.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3076

Message: Event: <Event Name>, Status: success, Info: '<Type of cipher (LDAP/SSH)>' cipher list is removed.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the specified Lightweight Directory Access Protocol (LDAP) or SSH cipher list is removed.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3077

Message: Event: <Event Name>, Status: success, Info: SSH Server Rekey Interval is configured to <RekeyInterval>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server periodic rekeying is enabled with configured interval.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3078

Message: Event: <Event Name>, Status: success, Info: SSH Server Rekey Interval is removed.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server periodic rekeying is disabled.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3079

Message: Event: <Event Name>, Status: success, Info: SSH Server Cipher is configured to <Cipher>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server cipher is changed to configured value.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3080

Message: Event: <Event Name>, Status: success, Info: SSH Server Cipher is restored to default.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server cipher is restored to default.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3081

Message: Event: <Event Name>, Status: success, Info: SSH Client Cipher is configured to <Cipher>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH client cipher is changed to configured value.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3082

Message: Event: <Event Name>, Status: success, Info: SSH Client Cipher is restored to default.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH client cipher is restored to default.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3083

Message: Event: <Event Name>, Status: success, Info: Root access mode is restored to default (SSH/Telnet/Console).

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the root access mode is restored to default (SSH/Telnet/Console).

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3084

Message: Event: <Event Name>, Status: success, Info: Root access mode is configured to <mode>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the root access mode is changed to the configured value

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3085

Message: Event: <Event Name>, Status: success, Info: Root account is <status>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the root account is enabled or disabled.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3086

Message: Event: <Event Name>, Status: success, Info: Standby Telnet server is <status>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the standby Telnet server in the switch is started or shutdown.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3087

Message: Event: <Event Name>, Status: success, Info: Standby SSH server is <status>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the standby SSH server in the switch is started or shutdown.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3088

Message: Event: <Event Name>, Status: success, Info: SSH <Key Type> Key <status>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH key is generated or deleted.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3089

Message: Event: <Event Name>, Status: success, Info: Crypto key is generated.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Crypto key is generated.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3090

Message: Event: <Event Name>, Status: success, Info: Crypto key is deleted.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Crypto key is deleted.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3091

Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is created.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Crypto CA Trustpoint is created.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3092

Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is deleted.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Crypto CA Trustpoint is deleted.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3093

Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint - Keypair associated.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Crypto CA Trustpoint and keypair are associated.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3094

Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint - Keypair disassociated.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Crypto CA Trustpoint and keypair are disassociated.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3095

Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is authenticated.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the CA certificate of the Crypto CA Trustpoint is imported.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3096

Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is unauthenticated.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the CA certificate of the Crypto CA Trustpoint is deleted.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3097

Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is enrolled.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Crypto CA Trustpoint Certificate Signing Request (CSR) is generated and exported.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3098

Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint certificate is imported.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Crypto CA Trustpoint identity certificate is imported.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3099

Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint certificate is deleted.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Crypto CA Trustpoint identity certificate is deleted.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3100

Message: Event: <Event Name>, Status: success, Info: SSH Server MAC is configured to <MAC>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server MAC is changed to the configured value

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3101

Message: Event: <Event Name>, Status: success, Info: SSH Client MAC is configured to <MAC>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH client MAC is changed to the configured value.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3102

Message: Event: <Event Name>, Status: success, Info: SSH Client Kex is configured to <Kex>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH client Kex is changed to configured value

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3103

Message: Event: <Event Name>, Status: success, Info: SSH Server Key Exchange is configured to <Kex>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server key exchange (Kex) is changed to the configured value.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3104

Message: Event: <Event Name>, Status: success, Info: SSH Server instance is started on <Vrfname> VRF.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server instance is started on given VRF.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3105

Message: Event: <Event Name>, Status: success, Info: SSH Server instance is stopped on <Vrfname> VRF.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server instance is stopped on given VRF.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3106

Message: Event: <Event Name>, Status: success, Info: Telnet Server instance is started on <Vrfname> VRF.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Telnet server instance is started on given VRF.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3107

Message: Event: <Event Name>, Status: success, Info: Telnet Server instance is stopped on <Vrfname> VRF.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the Telnet server instance is stopped on given VRF.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3108

Message: Event: <Event Name>, Status: success, Info: SSH Server Port is configured to <ServerPort>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the SSH server is configured with a new port.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3110

Message: Event: <Event Name>, <Event action> Info: <Even specific info>.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates a failure to establish a Transport Layer Security (TLS) session.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3111

Message: Event: <Event Name>, <Event action> Info: <Even specific info>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates TLS session information during connection.

Recommended Action: No action is required.

SEC-3112

Message: Event: <Event Name>, <Event action> Info: <Even specific info>.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that Transport Layer Security (TLS) Certificate Validation failed.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.

SEC-3113

Message: Event: <Event Name>, <Event action> Info: <Even specific info>.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates SSH protocol message information during SSH session.

Recommended Action: No action is required.

SEC-3136

Message: cert expiry , Alert-level:'<alert-level>', Certificate Details= '<certificate-details>' will expire in '<Days>' days.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that specified certificate will expire in the specified number of days.

Recommended Action: Certificate must be renewed to prevent issues due to certificate expiry.

SEC-3137

Message: certificate expired, Certificate Details= '<certificate-details>' has expired '<Days>' days ago.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that specified certificate has expired the specified number of days in the past.

Recommended Action: Certificate must be renewed to continue using it.

SEC-3138

Message: user inactivity warning, USER '<User-ID>' will expire in '<Days>' days.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that specified user account will expire in the specified number of days.

Recommended Action: Account must be used to login to the device to keep it active.

SEC-3139

Message: user expired USER '<User-ID>' expired '<Days>' days ago.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that specified user account has expired the specified number of days ago.

Recommended Action: Account must be re-activated and used to login to the device.

SEC-3140

Message: Event: user password expiry, Alert-level:< alert-level>, Password of user account <user-account> will expire in <number-of-days> days.

Message Type:AUDIT | LOG

Severity: WARNING

Probable Cause: The user account specified in the <user-account> parameter will need to change their password in <number-of-days>.

Recommended Action: Change the user account's password before it expires.

SEC-3141

Message: Event: user password expiring, Password of user account <user-account> is expiring today.

Message Type:AUDIT | LOG

Severity: ERROR

Probable Cause: The password for user account specified in the <user-account> parameter will expire at the end of the current day. The user has to change the password immediately. If not changed, the password will expire.

Recommended Action: Change the user account's password before it expires.

SEC-3142

Message: Event: user password expired, Password of user account <user-account> has expired <number-of-days> days ago.

Message Type:AUDIT | LOG

Severity: ERROR

Probable Cause: The user account specified in the <user-account> parameter is locked out and will need to change their password immediately to log in.

Recommended Action: Change the user account's password immediately.

SEC-3501

Message: Role '<Role Name>' is changed.

Message Type:AUDIT | LOG

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that attributes of the specified role have been changed.

Recommended Action: No action is required.

SEC-4002

Message: Event: <Event Name>, Status: failed, Info: Failed login attempt outside the access time through <connection method and IP Address>.

Message Type:AUDIT

Class:SECURITY

Severity: INFO

Probable Cause: Indicates that the log in attempt outside the access time has failed.

Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.