Message: Invalid character used in member parameter to add switch to SCC policy; command terminated.
Message Type:LOG
Severity:ERROR
Probable Cause: Indicates that a member parameter in the secpolicy defined-policy command is invalid (for example, it may include an invalid character, such as an asterisk). A valid switch identifier (WWN, or switch name) must be provided as a member parameter in the secpolicy defined-policy command.
Recommended Action: Execute the secpolicy defined-policy command using a valid switch identifier (WWN, or switch name) to add specific switches to the switch connection control (SCC) policy.
Message: Invalid member <policy member>.
Message Type:LOG
Severity:ERROR
Probable Cause: Indicates that the input list has an invalid member.
Recommended Action: Verify the member names and input the correct information.
Message: Device name <device name> is invalid due to a missing colon.
Message Type:LOG
Severity:ERROR
Probable Cause: Indicates that one or more device names mentioned in the secpolicy defined-policy command does not have the colon character (:).
Recommended Action: Execute the secpolicy defined-policy command with a properly formatted device name parameter.
Message: Invalid WWN format <invalid WWN>.
Message Type:LOG
Severity:ERROR
Probable Cause:Indicates that the World Wide Name (WWN) entered in the policy member list had an invalid format.
Recommended Action: Execute the command again using the standard WWN format, that is, 16 hexadecimal digits grouped as eight colon separated pairs. For example: 50:06:04:81:D6:F3:45:42.
Message: Duplicate member <member ID> in (<List>).
Message Type:LOG
Severity:ERROR
Probable Cause: Indicates that the specified member is a duplicate in the input list. The list can be a policy list or a switch member list.
Recommended Action: Do not specify any duplicate members.
Message: No new security policy data to apply.
Message Type:LOG
Severity:ERROR
Probable Cause: Indicates that there are no changes in the defined security policy database to be activated.
Recommended Action: Verify that the security event was planned. Change some policy definitions and execute the secpolicy activate command to activate the policies.
Message: Added account <user name> with <role name> authorization.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that the specified new account has been created.
Recommended Action: No action is required.
Message: Deleted account <user name>.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that the specified account has been deleted.
Recommended Action: No action is required.
Message: <configuration> configuration change, action <action>, server ID <server>, VRF <vrf>.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that the specified action is applied to remote AAA (RADIUS/TACACS+) server configuration. The possible actions are ADD, REMOVE, CHANGE, and MOVE.
Recommended Action: No action is required.
Message: <action> switch DB.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that the switch database was enabled or disabled as the secondary authentication, authorization, and accounting (AAA) mechanism when the remote authentication dial-in user service (RADIUS) or Lightweight Directory Access Protocol (LDAP) is the primary AAA mechanism.
Recommended Action: No action is required.
Message: Security violation: Unauthorized switch <switch WWN> tries to join fabric.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that a switch connection control (SCC) security violation was reported. The specified unauthorized switch attempts to join the fabric.
Recommended Action: Check the switch connection control policy (SCC) policy to verify the switches are allowed in the fabric. If the switch should be allowed in the fabric but it is not included in the SCC policy, add the switch to the policy using the secpolicy defined-policy scc_policy member-entry command. If the switch is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.
Message: Security violation: Unauthorized host with IP address <IP address> tries to do SNMP write operation.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that a Simple Network Management Protocol (SNMP) security violation was reported. The specified unauthorized host attempted to perform an SNMP write operation.
Recommended Action: Check the WSNMP policy (read/write SNMP policy) and verify which hosts are allowed access to the fabric through SNMP. If the host is allowed access to the fabric but is not included in the policy, add the host to the policy.
If the host is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.
Message: Security violation: Unauthorized host with IP address <IP address> tries to do SNMP read operation.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that a Simple Network Management Protocol (SNMP) security violation was reported. The specified unauthorized host attempted to perform an SNMP read operation.
Recommended Action: Check the RSNMP policy (read-only SNMP policy) to verify the hosts that are allowed access to the fabric through SNMP read operations are included in the RSNMP policy. If the host is allowed access but is not included in the RSNMP policy, add the host to the policy. If the host is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.
Message: Security violation: Unauthorized host with IP address <Ip address> tries to establish HTTP connection.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that a Hypertext Transfer Protocol (HTTP) security violation was reported. The specified unauthorized host attempted to establish an HTTP connection.
Recommended Action: Determine whether the host IP address specified in the message can be used to manage the fabric through an HTTP connection. If so, add the host IP address to the HTTP policy of the fabric. If the host is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.
Message: Security violation: Login failure attempt via <connection method>.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that a serial or modem login security violation was reported. An incorrect password was used while trying to log in through a serial or modem connection; the log in failed.
Recommended Action: Use the correct password.
Message: Security violation: Login failure attempt via <connection method>. IP Addr: <IP address>.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that a login security violation was reported. The wrong password was used while trying to log in through the specified connection method; the log in failed. The violating IP address is displayed in the message.
Recommended Action: Verify that the specified IP address is being used by a valid switch administrator. Use the correct password.
Message: Changed account <user name>.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that the specified account has changed.
Recommended Action: No action is required.
Message: Security violation: Unauthorized access to serial port of switch <switch instance>.
Message Type:LOG
Severity:INFO
Probable Cause: Indicates that a serial connection policy security violation was reported. An attempt was made to access the serial console on the specified switch instance when it is disabled.
Recommended Action:Check to see if an authorized access attempt was made on the console. If so, add the switch World Wide Name (WWN) to the serial policy using the secpolicy defined-policy scc_policy member-entry command. If the host is not allowed access to the fabric, this is a valid violation message and an unauthorized entity is trying to access your fabric. Take appropriate action as defined by your enterprise security policy.
Message: Login information: Login successful via TELNET/SSH/RSH. IP Addr: <IP address>.
Message Type: LOG
Severity:INFO
Probable Cause:Indicates that the remote log in of the specified IP address was successful.
Recommended Action: No action is required.
Message: Root access mode is configured to <Mode>.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the root access mode is changed.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Login information: User [<User>] Last Successful Login Time : <last_successful_login_time> and Fail count : <fail_count>.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates the last successful login time and the failed attempt count for the specified user.
Recommended Action: No action is required.
Message: Login information: User [<User>] Last Successful Login Time : <last_successful_login_time>.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates the last successful login time for the specified user.
Recommended Action: No action is required.
Message: <RADIUS/TACACS+/LDAP server identity> server <server> authenticated user account '<username>'.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the specified AAA (RADIUS/TACACS+/LDAP) server responded to a switch request after some servers timed out.
Recommended Action:If the message appears frequently, reconfigure the list of servers so that the responding server is the first server on the list.
Message: All <RADIUS/TACACS+/LDAP server identity> servers failed to authenticate user account '<username>'.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that all servers in the remote AAA (RADIUS/TACACS+/LDAP) service configuration have failed to respond to a switch request within the configured timeout period.
Recommended Action: Verify that the switch has proper network connectivity to the specified AAA (RADIUS/TACACS+/LDAP) servers and the servers are correctly configured.
Message: passwdcfg params changed as (<changed param>:<old value> -> <new value>).
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the password attributes have been changed.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: The password attributes parameters were set to default values.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the password attributes were set to default values.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required.If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Security enforcement: Switch <switch WWN> connecting to port <Port number> is not authorized to stay in fabric.
Message Type:LOG
Severity:ERROR
Probable Cause: Indicates that the specified switch is being disabled on the specified port because of a switch connection control (SCC) policy violation.
Recommended Action: No action is required unless the switch must remain in the fabric. If the switch must remain in the fabric, add the switch World Wide Name (WWN) to the SCC policy using the secpolicy defined-policy scc_policy member-entry command, then attempt to join the switch with the fabric.
Message: IPFilter enforcement:Failed to enforce ipfilter policy of <Policy Type> type because of <Error code>.
Message Type:LOG
Severity:ERROR
Probable Cause: Indicates that the IP filter policy enforcement failed because of an internal system failure.
Recommended Action: Execute the copy support command and contact your switch service provider.
Message: local security policy <Event name>.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the specified event has occurred.
Recommended Action:Verify that the event was planned. If the event was planned, no action is required. If the event was not planned, take appropriate action as defined by your enterprise security policy.
Message: local security policy <Event name> WWN <Member WWN>.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the specified event has occurred.
Recommended Action: Verify that the event was planned. If the event was planned, no action is required. If the event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Missing file <file name> is replaced with default configuration.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the specified file is missing and it has been replaced with the default file.
Recommended Action: No action is required.
Message: Failed to access file <file name> and reverted the configuration.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the specified file was not accessible.
Recommended Action: No action is required.
Message: Accounting message queue 90 percent full, some messages may be dropped.
Message Type:LOG
Severity:WARNING
Probable Cause: Cause Indicates that the server is unreachable.
Recommended Action:No action is required.
Message: Accounting message queue within limits all messages will be processed.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the server is now reachable.
Recommended Action: No action is required.
Message: All TACACS+ servers failed to account user activity. Status is <return_status>
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the accounting has failed
Recommended Action: Check secret key value.
Message: Security violation: Login failure attempt outside the access time via <connection method>.
Message Type:LOG
Severity: INFO
Probable Cause: Indicates that a serial or modem login security violation was reported. User attempted to login outside the access time window through the specified connection method; the log in failed.
Recommended Action: Verify the login access time for the user. If needed update the access time as required.
Message Type:LOG
Severity: INFOProbable Cause: Indicates that a login security violation was reported. User attempted to login outside the access time window through the specified connection method; the log in failed.
Recommended Action: Verify the login access time for the user. If needed update the access time as required.Message Type:LOG
Severity: INFO
Probable Cause: Indicates that the accounting has failed.
Recommended Action: Check secret key value.
Message: Event: <Event Name>, Status: success, Info: <Event related info> <Event option> server <Server Name> vrf <VRF> for AAA services.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the AAA (RADIUS/TACACS+) server configuration has been changed manually.
Recommended Action:Verify that the RADIUS/TACACS+ configuration was changed intentionally. If the RADIU/TACACS+ configuration was changed intentionally, no action is required. If the RADIUS/TACACS+ configuration was not changed intentionally, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Attribute [<Attribute Name>] of <Attribute related info> server <server ID> vrf <VRF> changed <Attribute related info, if any>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified attribute of the remote AAA (RADIUS/TACACS+) server has been changed manually.
Recommended Action: Verify that the attribute was changed intentionally. If the attribute was changed intentionally, no action is required. If the attribute was not changed intentionally, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Parameter [<Parameter Name>] changed from <Old to New Value>.
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified password attribute has been changed.
Recommended Action:Verify that the password attribute was changed intentionally. If the password attribute was changed intentionally, no action is required. If the password attribute was not changed intentionally, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Password attributes set to default values.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the password attributes are set to default values.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Successful login attempt via <connection method and IP Address>.
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the log in was successful. An IP address is displayed when the login occurs over a remote connection.
Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: failed, Info: Failed login attempt through <connection method and IP Address>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the log in attempt has failed.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Successful logout by user [<User>].
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified user has successfully logged out.
Recommended Action: No action is required.
Message: Event: <Event Name>, Status: failed, Info: Account [<User>] locked, failed password attempts exceeded.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the number of failed log in attempts due to incorrect password has exceeded the allowed limit; the account has been locked.
Recommended Action: The administrator can manually unlock the account.
Message: Event: <Event Name>, Status: success, Info: User account [<User Name>], password changed.
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the password was changed for the specified user.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: User account [<User Name>] added. Role: [<Role Type>], Password [<Password Expired or not>], Home Context [<Home AD>], AD/VF list [<AD membership List>].
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that a new user account was created.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: User account [<User Name>], role changed from [<Old Role Type>] to [<New Role Type>].
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the user account role has been changed.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: User account [<User Name>] [<Changed Attributes>].
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the user account properties were changed.
Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: User account [<User Name>] deleted.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified user account has been deleted.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: <Event Specific Info>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the certificate authority (CA) certificate was imported successfully using the certutil import ldapca command.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: AAA Authentication Login Mode Configuration, Status: success, Info: Authentication configuration changed from <Previous Mode> to <Current Mode>.
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the authentication configuration has been changed.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: ipfilter, Status: success, Info: <IP Filter Policy> ipfilter policy(ies) saved.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified IP filter policies have been saved.
Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: ipfilter, Status: failed, Info: Failed to save changes for <IP Filter Policy> ipfilter policy(s).
Message Type: AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified IP filter policies have not been saved.
Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: ipfilter, Status: success, Info: <IP Filter Policy> ipfilter policy activated.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified IP filter policy has been activated.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: ipfilter, Status: failed, Info: Failed to activate <IP Filter Policy> ipfilter policy.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified IP filter policy failed to activate.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event:Security Violation , Status: failed, Info: Unauthorized host with IP address <IP address of the violating host> tries to establish connection using <Protocol Connection Type>.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that a security violation was reported. The IP address of the unauthorized host is displayed in the message.
Recommended Action: Check for unauthorized access to the switch through the specified protocol connection.
Message: Zeroization has been executed on the system.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the system has been zeroized.
Recommended Action: Verify the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: The FIPS Self Tests mode has been set to <Self Test Mode>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that there was a change in the Federal Information Protection Standard (FIPS) self test mode.
Recommended Action: Verify the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Status of bootprom access is changed using prom-access disable CLI: <Access Status>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the status of Boot PROM has changed using prom-access disable command. By default, the Boot PROM is accessible.
Recommended Action: No action is required.
Message: The license key <Key> is <Action>.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified license key has been added or removed.
Recommended Action: No action is required.
Message: Role '<Role Name>' is created.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified role has been created.
Recommended Action: No action is required.
Message: Role '<Role Name>' is deleted.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified role has been deleted.
Recommended Action: No action is required.
Message: Event: <Event Name>, Status: success, Info: Telnet Server is shutdown.
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Telnet server in the switch is shut down.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Telnet Server is started.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Telnet server in the switch is started.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server is shutdown.
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server in the switch is shut down.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server is started.
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server in the switch is started.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server Key Exchange Algorithm is configured to DH Group 14.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server key exchange algorithm is configured to DH group 14.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server Key Exchange Algorithm is restored to default.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server key exchange algorithm is restored to default.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Login banner message is set to '<Banner>'.
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the login banner message is set.
Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Login banner message is removed.
Message Type: AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the login banner message is removed.
Recommended Action:Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: '<Type of cipher (LDAP/SSH)>' cipher list is configured.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified Lightweight Directory Access Protocol (LDAP) or SSH cipher list is configured.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: '<Type of cipher (LDAP/SSH)>' cipher list is removed.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the specified Lightweight Directory Access Protocol (LDAP) or SSH cipher list is removed.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server Rekey Interval is configured to <RekeyInterval>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server periodic rekeying is enabled with configured interval.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server Rekey Interval is removed.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server periodic rekeying is disabled.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server Cipher is configured to <Cipher>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server cipher is changed to configured value.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server Cipher is restored to default.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server cipher is restored to default.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Client Cipher is configured to <Cipher>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH client cipher is changed to configured value.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Client Cipher is restored to default.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH client cipher is restored to default.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Root access mode is restored to default (SSH/Telnet/Console).
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the root access mode is restored to default (SSH/Telnet/Console).
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Root access mode is configured to <mode>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the root access mode is changed to the configured value
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Root account is <status>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the root account is enabled or disabled.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Standby Telnet server is <status>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the standby Telnet server in the switch is started or shutdown.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Standby SSH server is <status>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the standby SSH server in the switch is started or shutdown.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH <Key Type> Key <status>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH key is generated or deleted.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto key is generated.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Crypto key is generated.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto key is deleted.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Crypto key is deleted.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is created.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Crypto CA Trustpoint is created.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is deleted.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Crypto CA Trustpoint is deleted.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint - Keypair associated.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Crypto CA Trustpoint and keypair are associated.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint - Keypair disassociated.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Crypto CA Trustpoint and keypair are disassociated.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is authenticated.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the CA certificate of the Crypto CA Trustpoint is imported.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is unauthenticated.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the CA certificate of the Crypto CA Trustpoint is deleted.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint is enrolled.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Crypto CA Trustpoint Certificate Signing Request (CSR) is generated and exported.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint certificate is imported.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Crypto CA Trustpoint identity certificate is imported.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Crypto CA Trustpoint certificate is deleted.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Crypto CA Trustpoint identity certificate is deleted.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server MAC is configured to <MAC>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server MAC is changed to the configured value
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Client MAC is configured to <MAC>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH client MAC is changed to the configured value.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Client Kex is configured to <Kex>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH client Kex is changed to configured value
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server Key Exchange is configured to <Kex>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server key exchange (Kex) is changed to the configured value.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server instance is started on <Vrfname> VRF.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server instance is started on given VRF.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server instance is stopped on <Vrfname> VRF.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server instance is stopped on given VRF.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Telnet Server instance is started on <Vrfname> VRF.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Telnet server instance is started on given VRF.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: Telnet Server instance is stopped on <Vrfname> VRF.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the Telnet server instance is stopped on given VRF.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, Status: success, Info: SSH Server Port is configured to <ServerPort>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the SSH server is configured with a new port.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, <Event action> Info: <Even specific info>.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates a failure to establish a Transport Layer Security (TLS) session.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, <Event action> Info: <Even specific info>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates TLS session information during connection.
Recommended Action: No action is required.
Message: Event: <Event Name>, <Event action> Info: <Even specific info>.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that Transport Layer Security (TLS) Certificate Validation failed.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.
Message: Event: <Event Name>, <Event action> Info: <Even specific info>.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates SSH protocol message information during SSH session.
Recommended Action: No action is required.
Message: cert expiry , Alert-level:'<alert-level>', Certificate Details= '<certificate-details>' will expire in '<Days>' days.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that specified certificate will expire in the specified number of days.
Recommended Action: Certificate must be renewed to prevent issues due to certificate expiry.
Message: certificate expired, Certificate Details= '<certificate-details>' has expired '<Days>' days ago.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that specified certificate has expired the specified number of days in the past.
Recommended Action: Certificate must be renewed to continue using it.
Message: user inactivity warning, USER '<User-ID>' will expire in '<Days>' days.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that specified user account will expire in the specified number of days.
Recommended Action: Account must be used to login to the device to keep it active.
Message: user expired USER '<User-ID>' expired '<Days>' days ago.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that specified user account has expired the specified number of days ago.
Recommended Action: Account must be re-activated and used to login to the device.
Message: Event: user password expiry, Alert-level:< alert-level>, Password of user account <user-account> will expire in <number-of-days> days.
Message Type:AUDIT | LOG
Severity: WARNING
Probable Cause: The user account specified in the <user-account> parameter will need to change their password in <number-of-days>.
Recommended Action: Change the user account's password before it expires.
Message: Event: user password expiring, Password of user account <user-account> is expiring today.
Message Type:AUDIT | LOG
Severity: ERROR
Probable Cause: The password for user account specified in the <user-account> parameter will expire at the end of the current day. The user has to change the password immediately. If not changed, the password will expire.
Recommended Action: Change the user account's password before it expires.
Message: Event: user password expired, Password of user account <user-account> has expired <number-of-days> days ago.
Message Type:AUDIT | LOG
Severity: ERROR
Probable Cause: The user account specified in the <user-account> parameter is locked out and will need to change their password immediately to log in.
Recommended Action: Change the user account's password immediately.
Message: Role '<Role Name>' is changed.
Message Type:AUDIT | LOG
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that attributes of the specified role have been changed.
Recommended Action: No action is required.
Message: Event: <Event Name>, Status: failed, Info: Failed login attempt outside the access time through <connection method and IP Address>.
Message Type:AUDIT
Class:SECURITY
Severity: INFO
Probable Cause: Indicates that the log in attempt outside the access time has failed.
Recommended Action: Verify that the security event was planned. If the security event was planned, no action is required. If the security event was not planned, take appropriate action as defined by your enterprise security policy.