Table 14-1 Security Events
Event Name
|
Source OID
|
Short Description
|
Severity
|
Cause
|
Action
|
Category: administrator action
|
|
|
avm-added
|
IAvm
|
AVM <ip>:<avmid> (<avmkey>) was added
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-classesjar-changed
|
IAvm
|
The class JAR list of AVM <ip>:<avmid> (<avmkey>) was changed to <classesjar>
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-disabled
|
IAvm
|
AVM <ip>:<avmid> (<avmkey>) was disabled
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-enabled
|
IAvm
|
AVM <ip>:<avmid> (<avmkey>) was enabled
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-high-availability-disabled
|
IAvm
|
High availability was disabled for AVM <ip>:<avmid> (<avmkey>)
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-high-availability-enabled
|
IAvm
|
High availability was enabled for AVM <ip>:<avmid> (<avmkey>)
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-key-changed
|
IAvm
|
The key of AVM <ip>:<avmid> (<avmkey>) was changed to <newkey>
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-maxmem-changed
|
IAvm
|
The maximum heap size of AVM <ip>:<avmid> (<avmkey>) was changed to <maxmem>
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-moved
|
IAvm
|
AVM <ip>:<avmid> (<avmkey>) was moved to <newip>
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-patchjar-changed
|
IAvm
|
The patch JAR list of AVM <ip>:<avmid> (<avmkey>) was changed to <patchjar>
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-removed
|
IAvm
|
AVM <ip>:<avmid> (<avmkey>) was removed
|
CLEARED
|
Administrator action.
|
None needed.
|
avm-restarted
|
IAvm
|
AVM <ip>:<avmid> (<avmkey>) was restarted
|
CLEARED
|
Administrator action.
|
None needed.
|
client-license-added
|
IClientLicenseManagement
|
Client license <key> was added
|
CLEARED
|
Administrator action.
|
None needed.
|
client-license-removed
|
IClientLicenseManagement
|
Client license <key> was removed
|
CLEARED
|
Administrator action.
|
None needed.
|
element-added
|
IElementManagement
|
Element <key> was added to AVM <unitip>:<avmid>
|
CLEARED
|
Administrator action.
|
None needed.
|
element-alias-added
|
IElementManagement
|
The alias <alias> was added to element <key> (in AVM <unitip>:<avmid>)
|
CLEARED
|
Administrator action.
|
None needed.
|
element-alias-removed
|
IElementManagement
|
The alias <alias> was removed from element <key> (in AVM <unitip>:<avmid>)
|
CLEARED
|
Administrator action.
|
None needed.
|
element-disabled
|
IElementManagement
|
Element <key> (in AVM <unitip>:<avmid>) was disabled
|
CLEARED
|
Administrator action.
|
None needed.
|
element-enabled
|
IElementManagement
|
Element <key> (in AVM <unitip>:<avmid>) was enabled
|
CLEARED
|
Administrator action.
|
None needed.
|
element-moved
|
IElementManagement
|
Element <key> was moved from AVM <unitip>:<avmid> to AVM <newip>:<newavmid>
|
CLEARED
|
Administrator action.
|
None needed.
|
element-removed
|
IElementManagement
|
Element <key> was removed from AVM <unitip>:<avmid>
|
CLEARED
|
Administrator action.
|
None needed.
|
mc-network-high-availability-disabled
|
IMCNetwork
|
High availability was disabled for the BOS network
|
CLEARED
|
Administrator action.
|
None needed.
|
mc-network-high-availability-enabled
|
IMCNetwork
|
High availability was enabled for the BOS network
|
CLEARED
|
Administrator action.
|
None needed.
|
permission-added
|
IPermission
|
User <username> was granted permission for scope <scope> with role <role>
|
CLEARED
|
Administrator executed grant permission to user command.
|
None needed.
|
permission-deleted
|
IPermission
|
User <username>'s permission for scope <scope> was revoked (previous role: <role>)
|
CLEARED
|
Administrator executed revoke permission to user command.
|
None needed.
|
permission-role-changed
|
IPermission
|
User <username>'s role in scope <scope> was changed to <role>
|
CLEARED
|
Administrator executed change role to user command.
|
None needed.
|
polling-group-added
|
IPollingGroupManagement
|
Polling group <name> (description: <description>) was added
|
CLEARED
|
Administrator action.
|
None needed.
|
polling-group-description-changed
|
IPollingGroupManagement
|
The description of polling group <name> was changed to <description>
|
CLEARED
|
Administrator action.
|
None needed.
|
polling-group-removed
|
IPollingGroupManagement
|
Polling group <name> (description: <description>) was removed
|
CLEARED
|
Administrator action.
|
None needed.
|
polling-interval-added
|
IPollingInterval
|
Polling interval <group>/<name> (interval: <interval>) was added
|
CLEARED
|
Administrator action.
|
None needed.
|
polling-interval-changed
|
IPollingInterval
|
Polling interval <group>/<name> was changed to <interval>
|
CLEARED
|
Administrator action.
|
None needed.
|
polling-interval-removed
|
IPollingInterval
|
Polling interval <group>/<name> (interval: <interval>) was removed
|
CLEARED
|
Administrator action.
|
None needed.
|
protection-group-added
|
IProtectionGroup
|
Protection group <key> (description: <description>) was added
|
CLEARED
|
Administrator action.
|
None needed.
|
protection-group-description-changed
|
IProtectionGroup
|
The description of protection group <key> was changed to <description>
|
CLEARED
|
Administrator action.
|
None needed.
|
protection-group-removed
|
IProtectionGroup
|
Protection group <key> (description: <description>) was removed
|
CLEARED
|
Administrator action.
|
None needed.
|
redundant-unit-added
|
IMC
|
DNA Redundant Unit <ip> was added
|
CLEARED
|
Administrator action.
|
None needed.
|
scope-created
|
IScope
|
Scope <scope> was created
|
CLEARED
|
Administrator executed create scope command.
|
None needed.
|
scope-deleted
|
IScope
|
Scope <scope> was deleted
|
CLEARED
|
Administrator executed delete scope command.
|
None needed.
|
scope-elements-added
|
IScope
|
The following elements were added to scope <scope>: <elements>
|
CLEARED
|
Administrator executed add elements to scope command.
|
None needed.
|
scope-elements-removed
|
IScope
|
The following elements were removed from scope <scope>: <elements>
|
CLEARED
|
Administrator executed remove elements to scope command.
|
None needed.
|
static-link-added
|
IStaticTopologyManagement
|
A static topology link from <source> to <destination> was added
|
CLEARED
|
Administrator action.
|
None needed.
|
static-link-removed
|
IStaticTopologyManagement
|
The static topology link from <source> to <destination> was removed
|
CLEARED
|
Administrator action.
|
None needed.
|
transport-uplink-added
|
IMCNetwork
|
A transport uplink was added between <sourceaddress> (local name: <sourcename>) and <destinationaddress> (local name: <destinationname>)
|
CLEARED
|
Administrator action.
|
None needed.
|
transport-uplink-disabled
|
IMCNetwork
|
The transport uplink between <sourceaddress> (local name: <sourcename>) and <destinationaddress> (local name: <destinationname>) was disabled
|
CLEARED
|
Administrator action.
|
None needed.
|
transport-uplink-enabled
|
IMCNetwork
|
The transport uplink between <sourceaddress> (local name: <sourcename>) and <destinationaddress> (local name: <destinationname>) was enabled
|
CLEARED
|
Administrator action.
|
None needed.
|
transport-uplink-removed
|
IMCNetwork
|
The transport uplink between <sourceaddress> (local name: <sourcename>) and <destinationaddress> (local name: <destinationname>) was removed
|
CLEARED
|
Administrator action.
|
None needed.
|
unit-added
|
IMC
|
DNA Unit <ip> was added
|
CLEARED
|
Administrator action.
|
None needed.
|
unit-high-availability-disabled
|
IMC
|
High availability was disabled for BOS Unit <ip>
|
CLEARED
|
Administrator action.
|
None needed.
|
unit-high-availability-enabled
|
IMC
|
High availability was enabled for BOS Unit <ip>
|
CLEARED
|
Administrator action.
|
None needed.
|
unit-manual-failover
|
IMC
|
Manual failover was started in BOS Unit <ip>
|
CLEARED
|
Administrator action.
|
None needed.
|
unit-protection-group-changed
|
IMC
|
The protection group of BOS Unit <ip> was changed to <protectiongroup>
|
CLEARED
|
Administrator action.
|
None needed.
|
unit-removed
|
IMC
|
BOS Unit <ip> was removed
|
CLEARED
|
Administrator action.
|
None needed.
|
unit-restart
|
IMC
|
BOS Unit <ip> was restarted
|
CLEARED
|
Administrator action.
|
None needed.
|
unit-restarted
|
IMC
|
BOS Unit <ip> was restarted
|
CLEARED
|
Administrator action.
|
None needed.
|
user-created
|
IBOSUser
|
User <username> was created
|
CLEARED
|
Administrator executed create user command.
|
None needed.
|
user-deleted
|
IBOSUser
|
User <username> was deleted
|
CLEARED
|
Administrator executed delete user command.
|
None needed.
|
user-map-added
|
IBOSUser
|
User <username> was granted permission to use map <map>
|
CLEARED
|
Administrator action.
|
None needed.
|
user-map-removed
|
IBOSUser
|
User <username>'s permission to use map <map> was revoked
|
CLEARED
|
Administrator action.
|
None needed.
|
user-password-changed
|
IBOSUser
|
User <username>'s password was changed
|
CLEARED
|
Administrator executed change password command.
|
None needed.
|
user-property-changed
|
IBOSUser
|
The property <property> of user <username> was changed to <value>
|
CLEARED
|
Administrator executed change user property command.
|
None needed.
|
Category: insufficient permissions
|
|
|
execute command
|
IAvm
|
User <username> doesn't have enough permission to run command <command name>
|
MAJOR
|
A user executed a command with insufficient permissions. Might be a security attack.
|
Examine the log and identify the user and the command. Take the appropriate action according to organizational security policies.
|
Category: license
|
|
|
license_cap_exceeded
|
IAvm
|
License capacity exceeded for user = <username>, ip = <ip>
|
MAJOR
|
User attempted to log in but is already using the maximum number of connections.
|
Close some of the user connections to the application.
|
license_expired
|
IAvm
|
License expired for user = <username>, ip = <ip>
|
MAJOR
|
The user's license has expired.
|
Buy a license or log in as another user.
|
no_license
|
IAvm
|
No license exists for user = <username>, ip = <ip>
|
MAJOR
|
The user does not have a license to use the application.
|
Buy a license.
|
Category: login
|
|
|
invalid password
|
IAvm
|
Invalid password. Couldn't authenticate user <username>
|
MINOR
|
User entered an invalid password.
|
Enter the password correctly.
|
invalid user
|
IAvm
|
Invalid login. Unknown user <username>
|
MINOR
|
User entered invalid login name.
|
Enter the login name correctly.
|
session number exceeded
|
IAvm
|
Number of open sessions for user <username> exceeded
|
MINOR
|
User has opened more sessions than allowed.
|
Increase the number of allowed sessions for this user or do not open so many.
|
success
|
IAvm
|
Successful login <username>
|
CLEARED
|
User entered the correct login information.
|
None needed.
|
total number session exceeded
|
IAvm
|
Maximum open sessions number exceeded (<maxOpenSessions>)
|
MINOR
|
The users of the system have opened too many connections.
|
Close some of the connections to the system.
|
user disabled
|
IAvm
|
User <username> is disabled
|
MINOR
|
User tried too many times to log in with an incorrect password; the account is disabled.
|
Enable the account.
|
Category: logoff
|
|
|
user logoff
|
IAvm
|
User <username> logged off
|
CLEARED
|
User closed the application that was connected to the system.
|
None needed.
|
Category: password changed
|
|
|
password changed
|
IAvm
|
User <username> changed password
|
CLEARED
|
The user changed their password.
|
None needed.
|
Category: password expired
|
|
|
authenticate
|
IAvm
|
Password expired. Couldn't authenticate user <username>
|
MINOR
|
User password expiration date has arrived.
|
Update user password.
|
disabled
|
IAvm
|
Account inactivity timeout expired. Account disabled. Couldn't authenticate user <username>
|
MINOR
|
The user has not logged in within the specified time period and the account is disabled.
|
Enable user account.
|
