appendix a using syslog - whp...

Appendix A

Using Syslog

This appendix describes how to display Syslog messages and how to configure the Syslog facility, and lists the Syslog messages that a ProCurve Routing Switch can display during standard operation.

NOTE: This appendix does not list Syslog messages that can be displayed when a debug option is enabled. For information about Syslog messages that are displayed by a debug option, see the Diagnostic Guide for ProCurve 9300/9400 Series Routing Switches.

Overview An HP devices software can write syslog messages to provide information at the following severity levels:

Emergencies

Alerts

Critical

Errors

Warnings

Notifications

Informational

Debugging

The device writes the messages to a local buffer. In software release earlier than 07.6.04, the local buffer can hold up to 100 entries. Beginning with software release 07.6.04, the buffer can hold up to 1000 entries.

You also can specify the IP address or host name of up to six Syslog servers. When you specify a Syslog server, the HP device writes the messages both to the system log and to the Syslog server.

Using a Syslog server ensures that the messages remain available even after a system reload. The HP devices local Syslog buffer is cleared during a system reload or reboot, but the Syslog messages sent to the Syslog server remain on the server.

The Syslog service on a Syslog server receives logging messages from applications on the local host or from devices such as a Routing Switch. Syslog adds a time stamp to each received message and directs messages to a log file. Most Unix workstations come with Syslog configured. Some third party vendor products also provide Syslog running on NT.

June 2005 A - 1

http:07.6.04http:07.6.04

Installation and Basic Configuration Guide for ProCurve 9300 Series Routing Switches

Syslog uses UDP port 514 and each Syslog message thus is sent with destination port 514. Each Syslog message is one line with Syslog message format. The message is embedded in the text portion of the Syslog format. There are several subfields in the format. Keywords are used to identify each subfield, and commas are delimiters. The subfield order is insensitive except that the text subfield should be the last field in the message. All the subfields are optional.

Displaying Syslog Messages To display the Syslog messages in the devices local buffer, enter the following command at any level of the CLI:

ProCurveRS> show logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

Buffer logging: level ACDMEINW, 3 messages logged

level code: A=alert C=critical D=debugging M=emergency E=error

I=informational N=notification W=warning

Static Log Buffer:Dec 15 19:04:14:A:Fan 1, fan on right connector, failed

Dynamic Log Buffer (50 entries):

Dec 15 18:46:17:I:Interface ethernet 1/4, state up

Dec 15 18:45:21:I:Bridge topology change, vlan 4095, interface 4, changed

state to forwarding

Dec 15 18:45:15:I:Warm start

For information about the Syslog configuration information, time stamps, and dynamic and static buffers, see Displaying the Syslog Configuration on page A-3.

Enabling Real-Time Display of Syslog Messages

By default, to view Syslog messages generated by an HP device, you need to display the Syslog buffer or the log on a Syslog server used by the HP device.

You can enable real-time display of Syslog messages on the management console. When you enable this feature, the software displays a Syslog message on the management console when the message is generated.

When you enable the feature, the software displays Syslog messages on the serial console when they occur. However, to enable display of real-time Syslog messages in Telnet or SSH sessions, you also must enable display within the individual sessions.

USING THE CLI

To enable real-time display of Syslog messages, enter the following command at the global CONFIG level of the CLI:

ProCurveRS(config)# logging console

Syntax: [no] logging console

This command enables the real-time display of Syslog messages on the serial console. You can enter this command from the serial console or a Telnet or SSH session.

To also enable the real-time display for a Telnet or SSH session, enter the following command from the Privileged EXEC level of the session:

telnet@ProCurveRS# terminal monitor

Syslog trace was turned ON

Syntax: terminal monitor

Notice that the CLI displays a message to indicate the status change for the feature. To disable the feature in the management session, enter the terminal monitor command again. The command toggles the feature on and off.

A - 2 June 2005

Using Syslog

telnet@ProCurveRS# terminal monitor

Syslog trace was turned OFF

Here is an example of how the Syslog messages are displayed:

telnet@ProCurveRS# terminal monitor Syslog trace was turned ONSYSLOG: ProCurveRS, Power supply 2, power supply on left connector, failed

SYSLOG: ProCurveRS, Interface ethernet 1/6, state down

SYSLOG: ProCurveRS, Interface ethernet 1/2, state up

Configuring the Syslog Service The procedures in this section describe how to perform the following Syslog configuration tasks:

Specify a Syslog server. You can configure the HP device to use up to six Syslog servers. (Use of a Syslog server is optional. The system can hold up to 100 Syslog messages in an internal buffer.)

Change the level of messages the system logs.

Change the number of messages the local Syslog buffer can hold.

Display the Syslog configuration.

Clear the local Syslog buffer.

Logging is enabled by default, with the following settings:

Messages of all severity levels (Emergencies Debugging) are logged.

By default, up to 50 messages are retained in the local Syslog buffer. This can be changed.

No Syslog server is specified.

Displaying the Syslog Configuration To display the Syslog parameters currently in effect on an HP device, enter the following command from any level of the CLI:

ProCurveRS> show logging





Static Log Buffer:

Dec 15 19:04:14:A:Fan 1, fan on right connector, failed


Dec 15 18:46:17:I:Interface ethernet 1/4, state up

Dec 15 18:45:21:I:Bridge topology change, vlan 4095, interface 4, changed

state to forwarding


Syntax: show logging

June 2005 A - 3


The Syslog display shows the following configuration information, in the rows above the log entries themselves.

Table A.1: CLI Display of Syslog Buffer Configuration

This Field...

Syslog logging The state (enabled or disabled) of the Syslog buffer.

messages dropped The number of Syslog messages dropped due to user-configured filters. By default, the software logs messages for all Syslog levels. You can disable individual Syslog levels, in which case the software filters out messages at those levels. See Disabling Logging of a Message Level on page A-10. Each time the software filters out a Syslog message, this counter is incremented.

flushes

overruns

level

messages logged

level code

Displays...

The number of times the Syslog buffer has been cleared by the clear logging command or equivalent Web management interface option. See Clearing the Syslog Messages from the Local Buffer on page A12.

The number of times the dynamic log buffer has filled up and been cleared to hold new entries. For example, if the buffer is set for 100 entries, the 101st entry causes an overrun. After that, the 201st entry causes a second overrun.

The message levels that are enabled. Each letter represents a message type and is identified by the key (level code) below the value. If you disable logging of a message level, the code for that level is not listed.

The total number of messages that have been logged since the software was loaded.

The message levels represented by the one-letter codes.

Static and Dynamic Buffers

The software provides two separate buffers:

Static logs power supply failures, fan failures, and temperature warning or shutdown messages

Dynamic logs all other message types

In the static log, new messages replace older ones, so only the most recent message is displayed. For example, only the most recent temperature warning message will be present in the log. If multiple temperature warning messages are sent to the log, the latest one replaces the previous one. The static buffer is not configurable.

The message types that appear in the static buffer do not appear in the dynamic buffer. The dynamic buffer contains up to the maximum number of messages configured for the buffer (50 by default), then begins removing the oldest messages (at the bottom of the log) to make room for new ones.

A - 4 June 2005

Using Syslog

The static and dynamic buffers are both displayed when you display the log.

ProCurveRS(config)# show logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 3 messages logged level code: A=alert C=critical D=debugging M=emergency E=error


Static Log Buffer:Dec 15 19:04:14:A:Fan 1, fan on right connector, failedDec 15 19:00:14:A:Fan 2, fan on left connector, failed

Dynamic Log Buffer (50 entries):Dec 15 18:46:17:I:Interface ethernet 1/4, state upDec 15 18:45:21:I:Bridge topology change, vlan 4095, interface 4, changedstate to forwardingDec 15 18:45:15:I:Warm start

Notice that the static buffer contains two separate messages for fan failures. Each message of each type has its own buffer. Thus, if you replace fan 1 but for some reason that fan also fails, the software replaces the first message about the failure of fan 1 with the newer message. The software does not overwrite the message for fan 2, unless the software sends a newer message for fan 2.

When you clear log entries, you can selectively clear the static or dynamic buffer, or you can clear both. For example, to clear only the dynamic buffer, enter the following command at the Privileged EXEC level:

ProCurveRS# clear logging dynamic-buffer

Syntax: clear logging [dynamic-buffer | static-buffer]

You can specify dynamic-buffer to clear the dynamic buffer or static-buffer to clear the static buffer. If you do not specify a buffer, both buffers are cleared.

Time Stamps

The contents of the time stamp differ depending on whether you have set the time and date on the onboard system clock.

If you have set the time and date on the onboard system clock, the date and time are shown in the following format:

mm dd hh:mm:ss

where:

mm abbreviation for the name of the month

dd day

hh hours

mm minutes

ss seconds

For example, Oct 15 17:38:03 means October 15 at 5:38 PM and 3 seconds.

If you have not set the time and date on the onboard system clock, the time stamp shows the amount of time that has passed since the device was booted, in the following format:

dhms

where:

June 2005 A - 5


d day

h hours

m minutes

s seconds

For example, 188d1h01m00s means the device had been running for 188 days, 11 hours, one minute, and zero seconds when the Syslog entry with this time stamp was generated.

Example of Syslog Messages on a Device Whose Onboard Clock Is Set The example shows the format of messages on a device whose onboard system clock has been set. Each time stamp shows the month, the day, and the time of the system clock when the message was generated. For example, the system time when the most recent message (the one at the top) was generated was October 15 at 5:38 PM and 3 seconds.

ProCurveRS(config)# show log





Static Log Buffer:


Dec 15 19:00:14:A:Fan 2, fan on left connector, failed


Oct 15 17:38:03:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18

0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s)


0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s)


0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s)

Example of Syslog Messages on a Device Whose Onboard Clock Is Not Set The example shows the format of messages on a device whose onboard system clock is not set. Each time stamp shows the amount of time the device had been running when the message was generated. For example, the most

A - 6 June 2005

Using Syslog

recent message, at the top of the list of messages, was generated when the device had been running for 21 days, seven hours, two minutes, and 40 seconds.

ProCurveRS(config)# show log



Static Log Buffer:

Dynamic Log Buffer (50 entries):21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s)

19d07h03m30s:warning:list 101 denied tcp 209.157.22.26(0)(Ethernet 4/180010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s)

17d06h58m30s:warning:list 101 denied tcp 209.157.22.198(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s)

Displaying and Configuring Syslog Buffer Parameters Using the Web Management Interface To configure Syslog parameters using the Web management interface, use the following procedure:

1. Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed.

2. Select Management from the System configuration sheet to display the Management panel.

3. Select the System Log link to display the following panel.

4. Select Disable or Enable next to Logging to disable or enable the Syslog service on the device. The service is enabled by default.

5. Optionally change the number of entries the local Syslog buffer can hold. The buffer size can be from 1 100. The default is 50.

June 2005 A - 7


NOTE: A change in the buffer size takes effect only after you restart the system. The buffer size does not affect how many entries the device can log on a Syslog server. The number of entries the device can log on the server depends on the servers configuration.

6. Select the messages facility. The default is User. For a list of values, display the pulldown menu.

7. Select the message levels you want the device to log. All the levels are logged by default.

8. Click Apply to save the changes to the devices running-config file.

9. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the devices flash memory.

10. To view a list of the Syslog servers that have been defined, click the Show Log Server link under the Apply and Reset buttons to display the Log Server panel.

Figure A.1 List of Log Servers

The list shows the IP Addresses and UDP Ports of the Syslog Servers.

11. To delete an entry, click on the Delete button for that entry.

12. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the devices flash memory.

13. To add a Syslog server, click on the Add Log Server link under the dialog to display the System Log Server panel.

Figure A.2 System Log Server Panel

14. Enter the IP address of the new Syslog server, if you want the device to log messages on the Syslog server as well as in the local buffer.

15. Enter the UDP port on the server that will be used for logging messages.

A - 8 June 2005

Using Syslog

16. Click on the Add button to add the server to the list. You can add up to six Syslog servers.

17. When you have finished, select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the devices flash memory.

Disabling or Re-Enabling Syslog Syslog is enabled by default. To disable or re-enable it, use one of the following methods.

USING THE CLI

To disable it, enter the following command at the global CONFIG level:

ProCurveRS(config)# no logging on

Syntax: [no] logging on []

The parameter specifies the application port used for the Syslog facility. The default is 514.

To re-enable logging, enter the following command:

ProCurveRS(config)# logging on

This command enables local Syslog logging with the following defaults:

Messages of all severity levels (Emergencies Debugging) are logged.

Up to 50 messages are retained in the local Syslog buffer.

No Syslog server is specified.

Specifying a Syslog Server To specify a Syslog server, use one of the following methods.

USING THE CLI

For software releases earlier than 07.7.00, enter a command such as the following:

ProCurveRS(config)# logging 10.0.0.99

For software releases 07.7.00 and later, enter a command such as the following:

ProCurveRS(config)# logging host 10.0.0.99

For backward compatibility, the software reads the old command syntax from the startup configuration, and

converts it to the new command syntax in the running configuration.

Syntax: logging | (software releases earlier than 07.7.00)

Syntax: logging host | (software release 07.7.00 and later)

USING THE WEB MANAGEMENT INTERFACE

See the section Displaying and Configuring Syslog Buffer Parameters Using the Web Management Interface on page A-7.

NOTE: You can specify a server name only if you have already configured the DNS Resolver feature. See the Configuring IP chapter in the Advanced Configuration and Management Guide for ProCurve 9300/9400 Series Routing Switches.

Specifying an Additional Syslog Server USING THE CLI

To specify an additional Syslog server, enter the logging host command again, as in the following example. You can specify up to six Syslog servers.

For software releases earlier than 07.7.00, enter a command such as the following:

June 2005 A - 9

http:07.7.00http:07.7.00


ProCurveRS(config)# logging 10.0.0.99

For software releases 07.7.00 and later, enter a command such as the following:

ProCurveRS(config)# logging host 10.0.0.99

For backward compatibility, the software reads the old command syntax from the startup configuration, and

converts it to the new command syntax in the running configuration.

Syntax: logging | (software releases earlier than 07.7.00)

Syntax: logging host | (software release 07.7.00 and later)



Disabling Logging of a Message Level To change the message level, disable logging of specific message levels. You must disable the message levels on an individual basis.

USING THE CLI

For example, to disable logging of debugging and informational messages, enter the following commands:

ProCurveRS(config)# no logging buffered debugging

ProCurveRS(config)# no logging buffered informational

Syntax: [no] logging buffered |

The parameter can have one of the following values:

alerts

critical

debugging

emergencies

errors

informational

notifications

warnings

The commands in the example above change the log level to notification messages or higher. The software will not log informational or debugging messages. The changed message level also applies to the Syslog servers.



Changing the Number of Entries the Local Buffer Can Hold You also can use the logging buffered command to change the number of entries the local Syslog buffer can store. For example:

ProCurveRS(config)# logging buffered 100

The default number of messages is 50. The value can be from 1 1000. The change takes effect immediately and does not require you to reload the software.

A - 10 June 2005

Using Syslog



NOTE: If you decrease the size of the buffer, the software clears the buffer before placing the change into effect. If you increase the size of the buffer, the software does not clear existing entries.

Changing the Log Facility The Syslog daemon on the Syslog server uses a facility to determine where to log the messages from the HP device. The default facility for messages the HP device sends to the Syslog server is user. You can change the facility using the following command.

NOTE: You can specify only one facility. If you configure the HP device to use two Syslog servers, the device uses the same facility on both servers.

ProCurveRS(config)# logging facility local0

Syntax: logging facility

The can be one of the following:

kern kernel messages

user random user-level messages

mail mail system

daemon system daemons

auth security/authorization messages

syslog messages generated internally by Syslog

lpr line printer subsystem

news netnews subsystem

uucp uucp subsystem

sys9 cron/at subsystem

sys10 reserved for system use





cron cron/at subsystem

local0 reserved for local use








June 2005 A - 11




Displaying the Interface Name in Syslog Messages By default, an interfaces slot number (if applicable) and port number are displayed when you display Syslog messages. If you want to display the name of the interface instead of its number, enter the following command:

ProCurveRS(config)# ip show-portname

This command is applied globally to all interfaces on Routing Switches.

Syntax: [no] Ip show-portname

When you display the messages in the Syslog, you see the interface name under the Dynamic Log Buffer section. The actual interface number is appended to the interface name. For example, if the interface name is "lab" and its port number is "2", you see "lab2" displayed as in the example below:

ProCurveRS# show logging



Static Log Buffer:



Dec 15 18:46:17:I:Interface ethernet Lab2, state up


Clearing the Syslog Messages from the Local Buffer To clear the Syslog messages stored in the HP devices local buffer, use one of the following methods:

USING THE CLI

ProCurveRS# clear logging

Syntax: clear logging


To clear Syslog messages using the Web management interface, use the following procedure:

1. Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed.

2. Click on the plus sign next to Command in the tree view to display the command options.

3. Select the Clear link to display the Clear panel.

4. Click on the checkbox next to System Logging to place a checkmark in the box.

5. Click Apply to clear the log.

Displaying TCP/UDP Port Numbers in Syslog Messages The command ip show-acl-service-number allows you to change the display of TCP/UDP application information from the TCP/UDP well-known port name to the TCP/UDP port number. For example, entering the following command causes the HP device to display http (the well-known port name) instead of 80 (the port number) in the output of show commands, and other commands that contain application port information. By default, HP devices display TCP/UDP application information in named notation.

In this release, you can display TCP/UDP port number instead of their names in syslog messages by entering the following command:

A - 12 June 2005

Using Syslog

9300 series(config)# ip show-service-number-in-log

Syntax: [no] ip show-service-number-in-log

Syslog Messages Table A.2 lists all of the Syslog messages. The messages are listed by message level, in the following order:

Emergencies (none)

Alerts

Critical

Errors

Warnings

Notifications

Informational

Debugging

Table A.2: HP Syslog Messages

Message Level Message Explanation

Alert Power supply , , failed A power supply has failed.

The is the power supply number.

The describes where the failed power supply is in the chassis. The location can be one of the following:

In 4-slot Routing Switches:

left side power supply

right side power supply


bottom power supply

middle bottom power supply

middle top power supply

top power supply


left side power supply

second from left power supply

second from right power supply

right side power supply

June 2005 A - 13


Table A.2: HP Syslog Messages (Continued)


Alert Fan , , failed A fan has failed.

The is the power supply number.

The describes where the failed power supply is in the chassis. The location can be one of the following:


left side panel, back fan

left side panel, front fan

rear/back panel, left fan

rear/back panel, right fan

In 8-slot and 15-slot Routing Switches:

rear/back panel, top fan

rear/back panel, bottom fan

top panel, fan

Alert Management module at slot state changed from to .

Indicates a state change in a management module.

The indicates the chassis slot containing the module.


active

standby

crashed

coming-up

unknown

Alert Temperature C degrees, warning level C degrees, shutdown level C degrees

Indicates an overtemperature condition on the active module.

The value indicates the temperature of the module.

The value is the warning threshold temperature configured for the module.

The value is the shutdown temperature configured for the module.

Alert modules and 1 power supply, need more power supply!!

Indicates that the chassis needs more power supplies to run the modules in the chassis.

The parameter indicates the number of modules in the chassis.

A - 14 June 2005

Using Syslog



Alert OSPF Memory Overflow OSPF has run out of memory.

Alert OSPF LSA Overflow, LSA Type =

Indicates an LSA database overflow.

The parameter indicates the type of LSA that experienced the overflow condition. The LSA type is one of the following:

1 Router

2 Network

3 Summary

4 Summary

5 External

Alert MAC Authentication failed for on (Invalid User)

RADIUS authentication failed for the specified on the specified because the MAC address sent to the RADIUS server was not found in the RADIUS servers users database.

Alert MAC Authentication failed for on

RADIUS authentication was successful for the specified on the specified ; however, the VLAN returned in the RADIUS Access-Accept message did not refer to a valid VLAN or VLAN ID on the HP device. This is treated as an authentication failure.

Alert MAC Authentication failed for on (No VLAN Info received from RADIUS server)

RADIUS authentication was successful for the specified on the specified ; however, dynamic VLAN assignment was enabled for the port, but the RADIUS Access-Accept message did not include VLAN information. This is treated as an authentication failure.

Alert MAC Authentication failed for on (RADIUS given VLAN does not match with TAGGED vlan)

Multi-device port authentication failed for the on a tagged port because the packet with this MAC address as the source was tagged with a VLAN ID different from the RADIUS-supplied VLAN ID.

Alert MAC Authentication failed for on (RADIUS given vlan does not exist)

RADIUS authentication was successful for the specified on the specified ; however, the RADIUS Access-Accept message specified a VLAN that does not exist in the HP devices configuration. This is treated as an authentication failure.

June 2005 A - 15




Alert MAC Authentication failed for on (Port is already in another radius given vlan)

RADIUS authentication was successful for the specified on the specified ; however, the RADIUS Access-Accept message specified a VLAN ID, although the port had previously been moved to a different RADIUS-assigned VLAN. This is treated as an authentication failure.

Critical Authentication shut down due to DOS attack

Denial of Service (DoS) attack protection was enabled for multi-device port authentication on the specified , and the per-second rate of RADIUS authentication attempts for the port exceeded the configured limit. The HP device considers this to be a DoS attack and disables the port.

Error No of prefixes received from BGP peer exceeds maximum prefix-limit...shutdown

The Routing Switch has received more than the specified maximum number of prefixes from the neighbor, and the Routing Switch is therefore shutting down its BGP4 session with the neighbor.

Warning Locked address violation at interface e, address

Indicates that a port on which you have configured a lock-address filter received a packet that was dropped because the packets source MAC address did not match an address learned by the port before the lock took effect.

The e is the port number.

The is the MAC address that was denied by the address lock.

Assuming that you configured the port to learn only the addresses that have valid access to the port, this message indicates a security violation.

Warning NTP server failed to respond Indicates that a Simple Network Time Protocol (SNTP) server did not respond to the devices query for the current time.

The indicates the IP address of the SNTP server.

A - 16 June 2005

Using Syslog



Warning Dup IP detected, sent from MAC interface

Indicates that the HP device received a packet from another device on the network with an IP address that is also configured on the HP device.

The is the duplicate IP address.

The is the MAC address of the device with the duplicate IP address.

The is the HP port that received the packet with the duplicate IP address. The address is the packets source IP address.

Warning mac filter group denied packets on port src macaddr , packets

Indicates that a Layer 2 MAC filter group configured on a port has denied packets.

The is the port on which the packets were denied.

The is the source MAC address of the denied packets.

The indicates how many packets matching the values above were dropped during the five-minute interval represented by the log entry.

Warning list denied () (Ethernet ) -> (), 1 event(s)

Indicates that an Access Control List (ACL) denied (dropped) packets.

The indicates the ACL number. Numbers 1 99 indicate standard ACLs. Numbers 100 199 indicate extended ACLs.

The indicates the IP protocol of the denied packets.

The is the source IP address of the denied packets.

The is the source TCP or UDP port, if applicable, of the denied packets.

The indicates the port number on which the packet was denied.

The indicates the source MAC address of the denied packets.

The indicates the destination IP address of the denied packets.

The indicates the destination TCP or UDP port number, if applicable, of the denied packets.

June 2005 A - 17




Warning rip filter list V1 | V2 denied , packets

Indicates that a RIP route filter denied (dropped) packets.

The is the ID of the filter list.

The indicates whether the filter was applied to incoming packets or outgoing packets. The value can be one of the following:

in

out

The V1 or V2 value specifies the RIP version (RIPv1 or RIPv2).

The indicates the network number in the denied updates.

The indicates how many packets matching the values above were dropped during the five-minute interval represented by the log entry.

Warning No of prefixes received from BGP peer exceeds warning limit

The Routing Switch has received more than the allowed percentage of prefixes from the neighbor.

The is the IP address of the neighbor.

The is the number of prefixes that matches the percentage you specified. For example, if you specified a threshold of 100 prefixes and 75 percent as the warning threshold, this message is generated if the Routing Switch receives a 76th prefix from the neighbor.

Notification Module was inserted to slot Indicates that a module was inserted into a chassis slot.

The is the number of the chassis slot into which the module was inserted.

Notification Module was removed from slot Indicates that a module was removed from a chassis slot.

The is the number of the chassis slot from which the module was removed.

Notification ACL insufficient L4 cam resource, using flow based ACL instead

The port does not have a large enough CAM partition for the ACLs. To re-partition the CAM, see the Changing CAM Partitions chapter in the Diagnostic Guide for ProCurve 9300/9400 Series Routing Switches.

A - 18 June 2005

Using Syslog



Notification OSPF interface state changed, rid , intf addr , state

Indicates that the state of an OSPF interface has changed.

The is the router ID of the HP device.

The is the interfaces IP address.

The indicates the state to which the interface has changed and can be one of the following:

down

loopback

waiting

point-to-point

designated router

backup designated router

other designated router

unknown

Notification OSPF virtual intf state changed, rid , area , nbr , state

Indicates that the state of an OSPF virtual routing interface has changed.

The is the router ID of the router the interface is on.

The is the area the interface is in.

The is the IP address of the OSPF neighbor.


down

loopback

waiting

point-to-point

designated router

backup designated router

other designated router

unknown

June 2005 A - 19




Notification OSPF nbr state changed, rid , nbr Indicates that the state of an OSPF neighbor addr , nbr rid , state has changed.



The is the router ID of the neighbor.


down

attempt

initializing

2-way

exchange start

exchange

loading

full

unknown

A - 20 June 2005

Using Syslog



Notification OSPF virtual nbr state changed, rid , nbr addr , nbr rid , state

Indicates that the state of an OSPF virtual neighbor has changed.



The is the router ID of the neighbor.


down

attempt

initializing

2-way

exchange start

exchange

loading

full

unknown

June 2005 A - 21




Notification OSPF intf config error, rid , Indicates that an OSPF interface intf addr , configuration error has occurred. pkt src addr ,

The is the router ID of the HP error type , pkt type device.

The is the IP address of the interface on the HP device.

The is the IP address of the interface from which the HP device received the error packet.


bad version

area mismatch

unknown NBMA neighbor

unknown virtual neighbor

authentication type mismatch

authentication failure

network mask mismatch

hello interval mismatch

dead interval mismatch

option mismatch

unknown


hello

database description

link state request

link state update

link state ack

unknown

A - 22 June 2005

Using Syslog



Notification OSPF virtual intf config error, Indicates that an OSPF virtual routing rid , intf addr , interface configuration error has occurred. pkt src addr ,



The is the IP address of the interface from which the HP device received the error packet.


bad version

area mismatch








option mismatch

unknown


hello


link state request

link state update

link state ack

unknown

June 2005 A - 23




Notification OSPF intf authen failure, rid , Indicates that an OSPF interface intf addr , authentication failure has occurred. pkt src addr ,



The is the IP address of the interface from which the HP device received the authentication failure.


bad version

area mismatch








option mismatch

unknown


hello


link state request

link state update

link state ack

unknown

A - 24 June 2005

Using Syslog



Notification OSPF virtual intf authen failure, Indicates that an OSPF virtual routing rid , intf addr , interface authentication failure has occurred. pkt src addr ,





bad version

area mismatch








option mismatch

unknown


hello


link state request

link state update

link state ack

unknown

June 2005 A - 25




Notification OSPF intf rcvd bad pkt, rid , intf addr , pkt src addr , pkt type

Indicates that an OSPF interface received a bad packet.





hello


link state request

link state update

link state ack

unknown

Notification OSPF virtual intf rcvd bad pkt, rid , intf addr , pkt src addr , pkt type

Indicates that an OSPF interface received a bad packet.





hello


link state request

link state update

link state ack

unknown

A - 26 June 2005

Using Syslog



Notification OSPF intf retransmit, rid , An OSPF interface on the HP device has intf addr , nbr rid , retransmitted a Link State Advertisement pkt type is , LSA type , (LSA). LSA id , LSA rid



The is the router ID of the neighbor Routing Switch.


hello


link state request

link state update

link state ack

unknown

The is the type of LSA.

The is the LSA ID.

The is the LSA router ID.

June 2005 A - 27




Notification OSPF virtual intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid

An OSPF interface on the HP device has retransmitted a Link State Advertisement (LSA).



The is the router ID of the neighbor Routing Switch.


hello


link state request

link state update

link state ack

unknown


The is the LSA ID.


Notification OSPF originate LSA, rid , area , LSA type , LSA id , LSA router id

An OSPF interface has originated an LSA.


The is the OSPF area.


The is the LSA ID.


Notification OSPF max age LSA, rid , area , LSA type , LSA id , LSA rid

An LSA has reached its maximum age.


The is the OSPF area.


The is the LSA ID.


A - 28 June 2005

Using Syslog



Notification OSPF LSDB overflow, rid , limit

A Link State Database Overflow (LSDB) condition has occurred.


The is the number of LSAs.

Notification OSPF LSDB approaching overflow, rid , limit

The software is close to an LSDB condition.


The is the number of LSAs.

Notification OSPF intf rcvd bad pkt: Bad Checksum, rid , intf addr , pkt size , checksum , pkt src addr , pkt type

The device received an OSPF packet that had an invalid checksum.

The rid is HP devices router ID.

The intf addr is the IP address of the HP interface that received the packet.

The pkt size is the number of bytes in the packet.

The checksum is the checksum value for the packet.

The pkt src addr is the IP address of the neighbor that sent the packet.

The pkt type is the OSPF packet type and can be one of the following:

hello


link state request

link state update

link state acknowledgement

unknown (indicates an invalid packet type)

Notification OSPF intf rcvd bad pkt: Bad Packet type, rid , intf addr , pkt size , checksum , pkt src addr , pkt type

The device received an OSPF packet with an invalid type.

The parameters are the same as for the Bad Checksum message. The pkt type value is unknown, indicating that the packet type is invalid.

Notification OSPF intf rcvd bad pkt: Unable to find associated neighbor, rid , intf addr , pkt size , checksum , pkt src addr , pkt type

The neighbor IP address in the packet is not on the HP devices list of OSPF neighbors.

The parameters are the same as for the Bad Checksum message.

June 2005 A - 29




Notification OSPF intf rcvd bad pkt: Invalid packet size, rid , intf addr , pkt size , checksum , pkt src addr , pkt type

The device received an OSPF packet with an invalid packet size.

The parameters are the same as for the Bad Checksum message.

Notification VRRP intf state changed, intf , vrid , state

A state change has occurred in a Virtual Router Redundancy Protocol (VRRP) interface.

The is the port.

The is the virtual router ID (VRID) configured on the interface.


init

master

backup

unknown

Notification BGP Peer UP (ESTABLISHED) Indicates that a BGP4 neighbor has come up.

The is the IP address of the neighbors BGP4 interface with the HP device.

Notification BGP Peer DOWN (IDLE) Indicates that a BGP4 neighbor has gone down.

The is the IP address of the neighbors BGP4 interface with the HP device.

Notification Local ICMP exceeds burst packets, stopping for seconds!!

The number of ICMP packets exceeds the threshold set by the ip icmp burst command. The HP device may be the victim of a Denial of Service (DoS) attack.

All ICMP packets will be dropped for the number of seconds specified by the value. When the lockup period expires, the packet counter is reset and measurement is restarted.

Notification Local TCP exceeds burst packets, stopping for seconds!!

The number of TCP SYN packets exceeds the threshold set by the ip tcp burst command. The HP device may be the victim of a TCP SYN DoS attack.

All TCP SYN packets will be dropped for the number of seconds specified by the value. When the lockup period expires, the packet counter is reset and measurement is restarted.

A - 30 June 2005

Using Syslog



Notification Transit ICMP in interface exceeds burst packets, stopping for seconds!!

Threshold parameters for ICMP transit (through) traffic have been configured on an interface, and the maximum burst size for ICMP packets on the interface has been exceeded.

The is the port number.

The first is the maximum burst size (maximum number of packets allowed).

The second is the number of seconds during which additional ICMP packets will be blocked on the interface.

Note: This message can occur in response to an attempted Smurf attack.

Notification Local TCP exceeds burst packets, stopping for seconds!!

Threshold parameters for local TCP traffic on the device have been configured, and the maximum burst size for TCP packets has been exceeded.


The second is the number of seconds during which additional TCP packets will be blocked on the device.

Note: This message can occur in response to an attempted TCP SYN attack.

Notification Transit TCP in interface exceeds burst packets, stopping for seconds!!

Threshold parameters for TCP transit (through) traffic have been configured on an interface, and the maximum burst size for TCP packets on the interface has been exceeded.



The second is the number of seconds during which additional TCP packets will be blocked on the interface.

Note: This message can occur in response to an attempted TCP SYN attack.

Notification DOT1X issues software but not physical port up indication of Port to other software applications

The device has indicated that the specified port has been authenticated, but the actual port may not be active.

Notification DOT1X issues software but not physical port down indication of Port to other software applications

The device has indicated that the specified is no longer authorized, but the actual port may still be active.

June 2005 A - 31




Notification Authentication Enabled on The multi-device port authentication feature was enabled on the on the specified .

Notification Authentication Disabled on The multi-device port authentication feature was disabled on the on the specified .

Notification MAC Authentication succeeded for on

RADIUS authentication was successful for the specified on the specified .

Informational Cold start The device has been powered on.

Informational Warm start The system software (flash code) has been reloaded.

Informational login to USER EXEC mode A user has logged into the USER EXEC mode of the CLI.

The is the user name.

Informational logout from USER EXEC mode

A user has logged out of the USER EXEC mode of the CLI.


Informational login to PRIVILEGED mode A user has logged into the Privileged EXEC mode of the CLI.


Informational logout from PRIVILEGED mode

A user has logged out of Privileged EXEC mode of the CLI.


Informational SNMP Auth. failure, intruder IP: A user has tried to open a management session with the device using an invalid SNMP community string.

The is the IP address of the host that sent the invalid community string.

Informational Interface , state up A port has come up.


Informational Interface , state down A port has gone down.


Informational Interface , line protocol up The line protocol on a port has come up.


Informational Interface , line protocol down The line protocol on a port has gone down.


A - 32 June 2005

Using Syslog



Informational Trunk group () created by 802.3ad link-aggregation module.

802.3ad link aggregation is configured on the device, and the feature has dynamically created a trunk group (aggregate link).

The is a list of the ports that were aggregated to make the trunk group.

Informational Bridge root changed, vlan , new root ID , root interface

A Spanning Tree Protocol (STP) topology change has occurred.

The is the ID of the VLAN in which the STP topology change occurred.

The is the STP bridge root ID.

The is the number of the port connected to the new root bridge.

Informational Bridge is new root, vlan , root ID

A Spanning Tree Protocol (STP) topology change has occurred, resulting in the HP device becoming the root bridge.


The is the STP bridge root ID.

Informational Bridge topology change, vlan , interface , changed state to

A Spanning Tree Protocol (STP) topology change has occurred on a port.



The is the new STP state and can be one of the following:

disabled

blocking

listening

learning

forwarding

unknown

Informational startup-config was changed

or

startup-config was changed by

A configuration change was saved to the startup-config file.

The is the users ID, if they entered a user ID to log in.

Informational vlan interface Bridge TC Event (DOT1wTransition)

802.1W recognized a topology change event in the bridge. The topology change event is the forwarding action that started on a non-edge Designated port or Root port.

June 2005 A - 33




Informational vlan interface STP state -> (DOT1wTransition)

802.1W changed the state of a port to a new state: forwarding, learning, blocking. If the port changes to blocking, the bridge port is in discarding state.

Informational vlan New RootPort (RootSelection)

802.1W changed the ports role to Root port, using the root selection computation.

Informational vlan New RootBridge RootPort (BpduRcvd)

802.1W selected a new root bridge as a result of the BPDUs received on a bridge port.

Informational vlan Bridge is RootBridge (MgmtPriChg)

802.1W changed the current bridge to be the root bridge of the given topology due to administrative change in bridge priority.

Informational vlan Bridge is RootBridge (MsgAgeExpiry)

The message age expired on the Root port so 802.1W changed the current bridge to be the root bridge of the topology.

Informational DOT1X: Port , AuthControlledPortStatus change: authorized

The status of the interfaces controlled port has changed from unauthorized to authorized.

Informational DOT1X: Port , AuthControlledPortStatus change: unauthorized

The status of the interfaces controlled port has changed from authorized to unauthorized.

Informational DOT1X: Port currently used vlanid changes to due to dot1xRADIUS vlan assignment

A user has completed 802.1X authentication. The profile received from the RADIUS server specifies a VLAN ID for the user. The port to which the user is connected has been moved to the VLAN indicated by .

Informational DOT1X: Port currently used vlanid is set back to port default vlan-id

The user connected to has disconnected, causing the port to be moved back into its default VLAN, .

Informational DOT1X Port is unauthorized because system resource is not enough or the invalid information to set the dynamic assigned IP ACLs or MAC address filters

802.1X authentication could not take place on the port. This happened because strict security mode was enabled and one of the following occurred:

Insufficient system resources were available on the device to apply an IP ACL or MAC address filter to the port

Invalid information was received from the RADIUS server (for example, the Filter-ID attribute did not refer to an existing IP ACL or MAC address filter)

Informational Port , srcip-security max-ipaddrper-int reached.Last IP=

The address limit specified by the srcip-security max-ipaddr-per-interface command has been reached for the port.

A - 34 June 2005




Informational Port , srcip-security max-ipaddrper-int reached.Last IP=

The address limit specified by the srcip-security max-ipaddr-per-interface command has been reached for the port.

Debug BGP4: Not enough memory available to run BGP4

The device could not start the BGP4 routing protocol because there is not enough memory available.

Debug DOT1X: Not enough memory There is not enough system memory for 802.1X authentication to take place. Contact HP Technical Support.

A - 36 June 2005

Using SyslogOverviewDisplaying Syslog MessagesEnabling Real-Time Display of Syslog Messages

Configuring the Syslog ServiceDisplaying the Syslog ConfigurationStatic and Dynamic BuffersTime Stamps

Displaying and Configuring Syslog Buffer Parameters Using the Web Management InterfaceDisabling or Re-Enabling SyslogSpecifying a Syslog ServerSpecifying an Additional Syslog ServerDisabling Logging of a Message LevelChanging the Number of Entries the Local Buffer Can HoldChanging the Log FacilityDisplaying the Interface Name in Syslog MessagesClearing the Syslog Messages from the Local BufferDisplaying TCP/UDP Port Numbers in Syslog Messages

Syslog Messages

appendix a using syslog - whp...

Documents