HP LaserJet Enterprise, HP PageWide Enterprise - HP Security Event Logging Messaging Reference (white paper)

ManualsBrandsHP ManualsDesktopsHP LaserJet Enterprise M506x

Version 3.0 Public

April 2018

HP Security Event Logging

Messaging Reference

For Interfacing with Security Information and Event Management Systems

Summary of content (143 pages)

PAGE 1
HP Security Event Logging Messaging Reference For Interfacing with Security Information and Event Management Systems Version 3.
PAGE 2
PAGE 3
HP Security Event Logging Messaging Reference for Interfacing with Security Information and Event Management Systems Version 3.
PAGE 4
PAGE 5
Table of contents 1 Introduction ................................................................................................................................ 2 Purpose ......................................................................................................................................................... 3 Configure and enable logging....................................................................................................................... 3 How to open the EWS .............
PAGE 6
Whitelisting ......................................................................................................................................... 15 Connection Inspector .......................................................................................................................... 15 Intrusion detection.............................................................................................................................. 16 Self-tests ...................................................
PAGE 7
Internet fax .......................................................................................................................... 40 Fax receive .................................................................................................................................. 41 Fax polling receive ...................................................................................................................... 41 Fax forwarding ......................................................................
PAGE 8
General security .......................................................................................................................... 67 Device administrator password .......................................................................................... 67 Service access code ............................................................................................................. 68 Remote configuration password ..................................................................................
PAGE 9
IPsec/Firewall advanced options ...................................................................................... 112 IPsec policy with manual keying ....................................................................................... 113 IPsec policy with IKEv1 ...................................................................................................... 116 IPsec policy with IKEv2 ......................................................................................................
PAGE 10
PAGE 11
1 Introduction • Purpose • Configure and enable logging Chapter 1 – Introduction 2
PAGE 12
Purpose The purpose of this document is to describe the syslog messages generated for auditable events by HP imaging and printing devices running HP FutureSmart firmware. The following table describes the structure of this document. Table 1-1 HP Security Event Logging Messaging Reference for Interfacing with Security Information and Event Management Systems Chapter Description Introduction This chapter describes the intent and focus of this document, and how to configure and enable logging.
PAGE 13
6. Click Apply. 7. Select the TCP/IP Settings menu. 8. Click the Advanced tab. 9. In the Syslog Server field, enter the IPv4 address of the syslog server. NOTE: Non-enhanced security event logging is enabled when the syslog server address is set. 10. From the Syslog Protocol drop-down menu, select the transport protocol used by the syslog server for receiving syslog messages. 11. In the Syslog Port field, enter the port number of the port used by the syslog server for receiving syslog messages. 12.
PAGE 14
2 Enhanced security event logging • Syslog message format • Common variables • Syslog messages Chapter 2 – Enhanced security event logging 5
PAGE 15
Syslog message format The following is the format of syslog messages: <##> : ; Example syslog message: <134> printer: Device Administrator Password modified; time="2015-Apr-09 11:54 AM (UTC-07:00)" user="admin" source_IP="10.0.0.7" outcome=success interface=Wired The following table describes the syslog message format: Table 2-1 Syslog message format for enhanced security event logging messages Item Description <##> Encoded syslog severity/facility.
PAGE 16
• • • • • DD = two-digit day of the month HH = two-digit hour (00 through 12) MM = two-digit minute (00 through 59) PE = two-letter of the 12-hour period (AM or PM) TZD = UTC offset (+HH:MM or –HH:MM) Example: 2016-Mar-26 09:10 AM (UTC -07:00) is wrapped in double quotes NOTE: Modifying the date or time format on the device doesn’t modify the format of .
PAGE 17
- New system time. - Old system time. - Authenticated user who modified the system time. If an unauthenticated user modified the system time, the user key-value pair is not contained within the message. - IP address of the client computer that sent the system time modification request.
PAGE 18
- IP address of the client computer that sent the request to launch the remote control-panel. Message: : Logout; time="" reason= user="" source_IP="" outcome=success Interface(s): EWS Syslog severity: Informational Explanation: Remote control-panel session was ended. Variables: - see Table 2-2. - see Table 2-2. - Reason the session was ended.
PAGE 19
Explanation: A user unsuccessfully attempted to sign in to the device via the EWS. Variables: - see Table 2-2. - see Table 2-2. - Sign-in method that was used to perform authentication. Possible values are: • local_device • windows • ldap • smartcard Possible values also include the names of third-party authentication agents installed on the device. - Attempted user identity.
PAGE 20
Possible values also include the names of third-party authentication agents installed on the device. - Attempted user identity. WS authentication Message: Interface(s): : WS Sign In Authentication; time="" sign-in_method=local_device user="" source_IP="" outcome=failure WS*, OXPd Syslog severity: Warning Explanation: HTTP Basic authentication failed.
PAGE 21
- IP address of the client computer that sent the user authentication request. - Device networking interface on which the administrator authentication request was received.
PAGE 22
Variables: - see Table 2-2. - see Table 2-2. Message: Interface(s): : Account Exited Lockout Mode; time="" account="Administrator" outcome=success N/A Syslog severity: Informational Explanation: The device administrator account was unlocked. Variables: - see Table 2-2. - see Table 2-2.
PAGE 23
• • Message: AP STA Interface(s): : SNMPv3 authentication exited protected mode; time="" SNMPv3_user_account="" outcome=success interface= SNMPv3 Syslog severity: Warning Explanation: An SNMPv3 user account was unlocked. Variables: - see Table 2-2. - see Table 2-2. - SNMPv3 user account that was unlocked. - Networking interface on the local device.
PAGE 24
- IP address of the local device. Message: : Unproven Installer; time= source_IP=“” Interface(s): N/A Syslog severity: Alert Explanation: The newly downloaded firmware failed to cryptographically validate the BIOS code. Variables: - see Table 2-2. - see Table 2-2. - IP address of the local device.
PAGE 25
Explanation: HP Connection Inspector feature has entered protected mode. Variables: - see Table 2-2. - see Table 2-2. Message: Interface(s): : HP Connection Inspector event; time="" event= dns_query value="" outcome=failure N/A Syslog severity: Warning Explanation: HP Connection Inspector feature has detected dns query failure for a hostname. Variables: - see Table 2-2. - see Table 2-2.
PAGE 26
Self-tests PJL password verification test Message: Interface(s): : PJL Password Integrity Test; time="" source_IP="" outcome= EWS Syslog severity: Informational Explanation: The PJL password verification test was performed. Variables: - see Table 2-2. - see Table 2-2. - IP address of the client computer that sent the request to perform the PJL password verification test.
PAGE 27
LDAP settings verification test Message: Interface(s): : LDAP Integrity Test; time="" source_IP="" outcome= EWS Syslog severity: Informational Explanation: The LDAP settings verification test was performed. Variables: - see Table 2-2. - see Table 2-2. - IP address of the client computer that sent the request to perform the LDAP settings verification test.
PAGE 28
Syslog severity: Informational Explanation: The data integrity test was performed. Variables: - see Table 2-2. - see Table 2-2. - IP address of the client computer that sent the request to perform the data integrity test. - Result of the test.
PAGE 29
Variables: - see Table 2-2. - see Table 2-2. - Erase mode to erase the storage drive. Possible values are: • secure_cryptographic_erase • unknown - Name of the storage drive to be erased. - IP address of the client computer that sent the request to erase the storage drive.
PAGE 30
Table 2-3 variable contained within messages generated for unsuccessful IKE negotiations Variable Description • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • CRL_decoding_failed CRL_is_not_currently_valid_but_in_the_future CRL_contains_duplicate_serial_numbers Time_interval_is_not_continuous Time_Informationalrmation_not_available Database_method_failed_due_to_timeout Database_method_failed Path_was_not_verified Maximum_path_length_reached No_IPsec_rules_co
PAGE 31
NOTE: If both the local device and the IPsec peer used Kerberos to perform mutual authentication, this message is not generated. - IP address of the IPsec peer. - IP address of the local device.
PAGE 32
- IP address of the local device. - IP address of the IPsec peer. - see Table 2-3.
PAGE 33
- see Table 2-2. - Authentication method that was used by both the local device and the IPsec peer to perform mutual authentication during IKEv1 phase 1 negotiations. Possible values are: • Certificates • Pre-shared_key • Kerberos NOTE: If both the local device and the IPsec peer used Kerberos to perform mutual authentication, this message is not generated. - IP address of the local device. - IP address of the IPsec peer.
PAGE 34
- IP address of the IPsec peer. - IP address of the local device. Message: Interface(s): : IPsec IKEv2 phase 1 negotiation; time="" item=printer_role value=Responder source_IP="" destination_IP="" outcome=failure Reason= IPsec Syslog severity: Warning Explanation: IKEv2 phase 1 negotiations initiated by the IPsec peer failed.
PAGE 35
- see Table 2-2. - IP address of the local device. - IP address of the IPsec peer. - see Table 2-3.
PAGE 36
Interface(s): remote_authentication_option= item=printer_role value=Initiator source_IP="" destination_IP="" outcome=success IPsec Syslog severity: Warning Explanation: IKEv2 phase 2 negotiations initiated by the local device were successful. Variables: - see Table 2-2. - see Table 2-2.
PAGE 37
IPsec AH Message: Interface(s): : IPsec using AH failed; time="" source_IP="" destination_IP="" outcome=failure IPsec Syslog severity: Warning Explanation: The processing of a received IPsec AH packet failed. Variables: - see Table 2-2. - see Table 2-2. - IP address of the IPsec peer. - IP address of the local device.
PAGE 38
If JobAcct3 and JobAcc8 are missing in the print job stream, the value of is “Guest.” - IP address of the client computer that sent the print driver job. Message: Interface(s): : Print job completion; time="" job_name= user="" source_IP="" outcome=canceled 9100, WS Print, IPP, LPD, FTP Syslog severity: Informational Explanation: The printing of a print driver job was canceled.
PAGE 39
- IP address of the client computer that sent the print-ready file. Copy Message: : Copy job completion; time="" user="" outcome=success Interface(s): Control panel Syslog severity: Informational Explanation: A copy job was completed successfully. Variables: - see Table 2-2. - see Table 2-2. - User who initiated the copy job.
PAGE 40
Explanation: A non-encrypted printer driver job was stored. This message is generated when either a Personal Job or Stored Job is stored on the device. Variables: - see Table 2-2. - see Table 2-2. - The value of the job attribute JobAcct3 plus “\” plus the value of the job attribute JobAcct8. JobAcct3 specifies the domain name, and JobAcct8 specifies the username. JobAcct3 and JobAcc8 were specified by setting the PJL JOBATTR variable in the print job.
PAGE 41
Variables: - see Table 2-2. - see Table 2-2. - User who initiated the storing of the copy job. Message: : Save to Device Memory job completion; time="" job_type=fax user="Guest" outcome=success Interface(s): Analog fax Syslog severity: Informational Explanation: A received fax was stored. Variables: - see Table 2-2. - see Table 2-2.
PAGE 42
• fax - User who initiated the retrieval and printing of the stored job. Message: Interface(s): : Retrieve from Device Memory job completion; time="" job_type= user="" source_IP="" outcome=success WS*, SNMP Syslog severity: Informational Explanation: A non-encrypted stored print job or stored copy was retrieved and printed. Variables: - see Table 2-2. - see Table 2-2.
PAGE 43
Variables: - see Table 2-2. - see Table 2-2. Email Message: : E-mail job completion; time="" user="" outcome=success Interface(s): Control panel Syslog severity: Informational Explanation: An email was sent to all recipients successfully. Variables: - see Table 2-2. - see Table 2-2. - User who initiated the email.
PAGE 44
Syslog severity: Informational Explanation: A Save to SharePoint job was completed successfully. Variables: - see Table 2-2. - see Table 2-2. - User who initiated the Save to SharePoint job. Message: Interface(s): : Save to SharePoint job completion; time="" user="" outcome=canceled Control panel Syslog severity: Warning Explanation: A Save to SharePoint job was canceled. Variables: - see Table 2-2.
PAGE 45
- User who initiated the Save to Network Folder job. Message: Interface(s): : Save to Network Folder job completion; time="" user="" outcome=canceled Control panel Syslog severity: Warning Explanation: A Save to Network Folder job was canceled. Variables: - see Table 2-2. - see Table 2-2. - User who initiated the Save to Network Folder job.
PAGE 46
Interface(s): OXPd Syslog severity: Warning Explanation: A Save to Network Folder job was canceled. Variables: - see Table 2-2. - see Table 2-2. - Control panel user. - IP address of the client computer that sent the request to perform the Save to Network Folder job.
PAGE 47
Message: Interface(s): : Save to HTTP job completion; time="" user="" source_IP=““ outcome=failure OXPd Syslog severity: Warning Explanation: A Save to HTTP job failed. Variables: - see Table 2-2. - see Table 2-2. - Control panel user. - IP address of the client computer that sent the request to perform the Save to HTTP job.
PAGE 48
Syslog severity: Warning Explanation: A fax send job failed. Variables: - see Table 2-2. - see Table 2-2. - User who initiated the fax send job. PC Fax Send Message: : Send Fax job completion; time="" user="" outcome=success Interface(s): 9100 Syslog severity: Informational Explanation: A PC Fax Send job was completed successfully. Variables: - see Table 2-2. - see Table 2-2.
PAGE 49
Interface(s): Control panel Syslog severity: Warning Explanation: A LAN fax job was canceled. Variables: - see Table 2-2. - see Table 2-2. - User who initiated the LAN fax job. Message: : Send Fax job completion; time="" user="" outcome=failure Interface(s): Control panel Syslog severity: Warning Explanation: A LAN fax job failed. Variables: - see Table 2-2. - see Table 2-2.
PAGE 50
Fax receive Message: : Receive Fax job completion; time="" user="Guest" outcome=success Interface(s): Analog fax Syslog severity: Informational Explanation: An analog fax was received and printed. Variables: - see Table 2-2. - see Table 2-2. Message: : Receive Fax job completion; time="" user="Guest" outcome=canceled Interface(s): Analog fax Syslog severity: Warning Explanation: An incoming analog fax was canceled.
PAGE 51
Interface(s): Control panel Syslog severity: Warning Explanation: A fax polling receive job was canceled. Variables: - see Table 2-2. - see Table 2-2. - User who initiated the fax polling receive job. Message: : Receive Fax job completion; time="" user="" outcome=failure Interface(s): Control panel Syslog severity: Warning Explanation: A fax polling receive job failed. Variables: - see Table 2-2.
PAGE 52
Variables: - see Table 2-2. - see Table 2-2. - For the forwarding of a received fax, the value of this variable is “Guest.” For the forwarding of a sent fax, the value of this variable is the user who initiated the fax send job at the control panel.
PAGE 53
- User who initiated the fax send job that was to be archived. Message: Interface(s): : Fax Archive job completion; time="" job_type=received_fax destination_type= outcome=success N/A Syslog severity: Informational Explanation: A received fax was archived. Variables: - see Table 2-2. - see Table 2-2. - Archival destination type.
PAGE 54
- User who initiated the Save to USB job. Message: Interface(s): : Save to USB job completion; time="" user=““ outcome=canceled Control panel Syslog severity: Warning Explanation: A Save to USB job was canceled. Variables: - see Table 2-2. - see Table 2-2. - User who initiated the Save to USB job.
PAGE 55
Variables: - see Table 2-2. - see Table 2-2. - User who initiated the Retrieve from USB job. Job notification Message: Interface(s): : Job Notification completion; time="" user=““ outcome=success N/A Syslog severity: Informational Explanation: A job notification report was delivered by email. Variables: - see Table 2-2. - see Table 2-2.
PAGE 56
- If the job notification report is for a received fax, the value of this variable is "Guest." Otherwise, the value of this variable is the user who initiated the job that resulted in the job notification report. Message: : Print job completion; time="" job_name=“Notification Job” user=““ outcome=canceled Interface(s): N/A Syslog severity: Warning Explanation: The printing of a job notification report was canceled. Variables: - see Table 2-2.
PAGE 57
Message: : Print job completion; time="" job_name=““ user=“Guest” source_IP=“0.0.0.0” outcome=canceled Interface(s): Control panel Syslog severity: Warning Explanation: The printing of the HP Jetdirect Security Report was canceled. Variables: - see Table 2-2. - see Table 2-2.
PAGE 58
- IP address of the client computer that sent the request to print the fax report. Message: Interface(s): : Print job completion; time="" job_name=““ user=“” source_IP=““ outcome=canceled WS* Syslog severity: Informational Explanation: The printing of a fax report was canceled. Variables: - see Table 2-2. - see Table 2-2. - Name of the fax report.
PAGE 59
Device configuration Syslog Message: Interface(s): : Syslog settings modified; time="" user="" source_IP="" outcome=success interface= EWS, SNMP Syslog severity: Warning Explanation: A syslog setting was modified.
PAGE 60
Message: : Jetdirect logging stopped; time="" user="" source_IP=““ outcome=success interface= Interface(s): EWS Syslog severity: Warning Explanation: Jetdirect logging was disabled. Variables: This message is generated when the syslog server IP address is cleared and enhanced security event logging is disabled. - see Table 2-2. - see Table 2-2.
PAGE 61
- User who disabled enhanced security event logging. - IP address of the client computer that sent the request to disable enhanced security event logging. - Networking interface on the local device that received the request to disable enhanced security event logging.
PAGE 62
Explanation: An SNMPv3 user account was added. Variables: - see Table 2-2. - see Table 2-2. - User who added the SNMPv3 user account. - User name of SNMPv3 user account that was added. - IP address of the client computer that sent the request to add the SNMNPv3 user account. - Networking interface on the local device that received request to add the SNMPv3 account.
PAGE 63
- Authenticated user who modified the inactivity timeout setting. If an unauthenticated user modified the inactivity timeout setting, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to modify the inactivity timeout setting.
PAGE 64
- Authenticated user who disabled the account lockout policy. If an unauthenticated user disabled the account lockout policy, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to disable the account lockout policy.
PAGE 65
- see Table 2-2. - New setting value. - Old setting value. - Authenticated user who modified the account lockout policy. If an unauthenticated user modified the account lockout policy, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to modify the account lockout policy.
PAGE 66
Explanation: The maximum attempts setting for the remote configuration account lockout policy was modified. Variables: - see Table 2-2. - see Table 2-2. - New setting value. - Old setting value. - Authenticated user who modified the account lockout policy. If an unauthenticated user modified the account lockout policy, the user key-value pair is not contained within the message.
PAGE 67
Account lockout policy for SNMPv3 user accounts Message: Interface(s): : Account Lockout Policy enabled; time="" account=SNMPv3 user="" source_IP="" outcome=success interface= SNMP Syslog severity: Informational Explanation: The account lockout policy for SNMPv3 user accounts was enabled. Variables: - see Table 2-2. - see Table 2-2. - User who enabled the account lockout policy.
PAGE 68
- User who modified the account lockout policy. - IP address of the client computer that sent the request to modify the account lockout policy. - Networking interface on the local device that received the request to modify the account lockout policy.
PAGE 69
- Networking interface on the local device that received the request to modify the account lockout policy.
PAGE 70
- IP address of the client computer that sent the request to enable the password complexity policy. Message: : Password Complexity Policy disabled; time="" account=remote_configuration user="" source_IP="" outcome=success Interface(s): EWS, WS* Syslog severity: Informational Explanation: The password complexity policy for the remote configuration password was disabled. Variables: - see Table 2-2.
PAGE 71
- IP address of the client computer that sent the request to disable the password complexity policy. - Networking interface on the local device that received the request to disable the password complexity policy.
PAGE 72
- IP address of the client computer that sent the request to modify the minimum password length policy.
PAGE 73
Syslog severity: Informational Explanation: Date and time settings were configured to not adjust for daylight savings. Variables: - see Table 2-2. - see Table 2-2. - Authenticated user who disabled adjust for daylight savings. If an unauthenticated user disabled adjust for daylight savings, the user key-value pair is not contained within the message.
PAGE 74
- IP address of the client computer that sent the request to reset the daylight savings time settings to factory defaults.
PAGE 75
Message: Interface(s): : System Time Use Default; time="" user="" source_IP="" outcome=success EWS, WS* Syslog severity: Informational Explanation: The Network Time Server settings were reset to factory defaults. Variables: - see Table 2-2. - see Table 2-2. - Authenticated user who reset the Network Time Server settings to factory defaults.
PAGE 76
- New enable or disable setting value. Possible values are: • enable • disable - IP address of the client computer that sent the request to enable or disable fax forwarding.
PAGE 77
- IP address of the client computer that sent the request to set, clear, or modify the device administrator password. - Device networking interface on which the device configuration request was received.
PAGE 78
Interface(s): EWS, WS* Syslog severity: Warning Explanation: An attempt to set, clear, or modify the remote configuration password was unsuccessful. Variables: - see Table 2-2. - see Table 2-2. - Authenticated user who attempted to set, clear, or modify the remote configuration password. If an unauthenticated user attempted to set, clear, or modify the remote configuration password , the user key-value pair is not contained within the message.
PAGE 79
- Authenticated user who modified the EWS session timeout. If an unauthenticated user modified the EWS session timeout, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to modify the EWS session timeout.
PAGE 80
- IP address of the client computer that sent the request to enable or disable the “Allow firmware upgrades sent as print jobs (port 9100)” setting.
PAGE 81
Drive-lock password Message: Interface(s): : Encrypted Drives Random Password Set; time="" user="" source_IP="" outcome=success EWS, WS* Syslog severity: Informational Explanation: A new random drive-lock password was generated. Variables: - see Table 2-2. - see Table 2-2. - Authenticated user who generated the new random drive-lock password.
PAGE 82
- see Table 2-2. - Authenticated user who enabled LDAP Sign In. If an unauthenticated user enabled LDAP Sign In, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to enable LDAP Sign In.
PAGE 83
- New setting value. - Old setting value. - Authenticated user who modified the LDAP server port setting. If an unauthenticated user modified the LDAP server port, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to modify the LDAP server port.
PAGE 84
Message: Interface(s): : LDAP Sign In configuration modified; time="" item=LDAP_administrator_password user="" source_IP="" outcome=success EWS, WS* Syslog severity: Informational Explanation: The administrator’s password for binding to the LDAP server for LDAP Sign In was set, cleared, or modified. - see Table 2-2. Variables: - see Table 2-2.
PAGE 85
- Authenticated user who set, cleared, or modified the administrator’s Distinguished Name. If an unauthenticated user set, cleared, or modified the administrator’s Distinguished Name, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to set, clear, or modify the administrator’s Distinguished Name.
PAGE 86
Syslog severity: Informational Explanation: The “Retrieve the user’s email address using this attribute” setting for LDAP Sign In was set, cleared, or modified. - see Table 2-2. Variables: - see Table 2-2. - New setting value. - Old setting value. - Authenticated user who set, cleared, or modified the “Retrieve the user’s email address using this attribute” setting.
PAGE 87
- Authenticated user who set, cleared, or modified the “Retrieve the device user’s group using this attribute” setting. If an unauthenticated user set, cleared, or modified the “Retrieve the device user’s group using this attribute” setting, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to set, clear, or modify the “Retrieve the device user’s group using this attribute” setting.
PAGE 88
Explanation: A search root for looking up the user’s name and email for LDAP Sign In was deleted. Variables: - see Table 2-2. - see Table 2-2. - Bind and search root that was deleted. - Authenticated user who deleted the search root. If an unauthenticated user deleted the search root, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to delete the search root.
PAGE 89
Explanation: The LDAP Sign In test was performed. Variables: - see Table 2-2. - see Table 2-2. - User name that was used to test user authentication. - IP address or hostname of the LDAP server. - If the option to use the LDAP administrator’s credentials to bind to the LDAP server was selected in the LDAP Sign In configuration, the value of this variable is the LDAP administrator’s Distinguished Name.
PAGE 90
Explanation: Windows Sign In was disabled. Variables: - see Table 2-2. - see Table 2-2. - Authenticated user who disabled Windows Sign In. If an unauthenticated user disabled Windows Sign In, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to disable Windows Sign In.
PAGE 91
- see Table 2-2. - New default Windows domain. - Old default Windows domain - Authenticated user who set a new default Windows domain. If an unauthenticated user set a new default Windows domain, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to set a new default Windows domain.
PAGE 92
Message: Interface(s): : Windows Sign In configuration modified; time="" item= name_retrieve_attribute value="" old_value="" user="" source_IP="" outcome=success EWS, WS* Syslog severity: Informational Explanation: The “Retrieve the device user’s name using this attribute” setting for Windows Sign In was set, cleared, or modified. - see Table 2-2. Variables: - see Table 2-2.
PAGE 93
- New setting value. Possible values are: • enable • disable - Old setting value. Possible values are: • enable • disable - Authenticated user who enabled or disabled the “Use a secure connection (SSL)” setting. If an unauthenticated user enabled or disabled the “Use a secure connection (SSL)” setting, the user key-value pair is not contained within the message.
PAGE 94
- Display name attribute of the device user account. - IP address of the client computer that sent the request to add the device user account. Message: Interface(s): : Device User Accounts imported; time="" source_IP="" outcome=success EWS, WS* Syslog severity: Informational Explanation: One or more device user accounts were imported. Variables: - see Table 2-2.
PAGE 95
- IP address of the client computer that sent the request to delete the device user account. Message: : Device User Account modified; time="" user="" source_IP="" outcome=success Interface(s): EWS Syslog severity: Informational Explanation: A device user account was modified. Variables: - see Table 2-2. - see Table 2-2.
PAGE 96
- New setting value. Possible values are: • local_device • ldap • windows • smartcard Possible values also include the names of third-party authentication agents that have been installed on the device. - Previous default sign-in method. Possible values are: • local_device • ldap • windows • smartcard Possible values also include the names of third-party authentication agents that have been installed on the device.
PAGE 97
- IP address of the client computer that sent the request to modify the default sign-in method for the EWS.
PAGE 98
• • • • local_device ldap windows smartcard Possible values also include the names of third-party authentication agents that have been installed on the device. - Old sign-in method. Possible values are: • local_device • ldap • windows • smartcard Possible values also include the names of third-party authentication agents that have been installed on the device. - Authenticated user who modified the sign-in method assigned to the EWS tab.
PAGE 99
Message: Interface(s): : Permission Set copied; time="" permission_set="" copied_from_permission_set="" user="" source_IP="" outcome=success EWS Syslog severity: Informational Explanation: A custom permission set was added by copying an existing permission set. Variables: - see Table 2-2. - see Table 2-2. - Custom permission set added.
PAGE 100
• Device User Possible values also include any custom permission sets that have been added. - Permission. Possible permissions depend on the protected features supported by the device and any third-party solutions that have been installed on the device. - New permission status. Possible permission statuses are: • access_granted • access_denied - Old permission status.
PAGE 101
- Authenticated user who enabled or disabled the “Allow users to choose alternate sign-in methods at the product control panel” setting. If an unauthenticated user enabled or disabled the “Allow users to choose alternate sign-in methods at the product control panel” setting, the user key-value pair is not contained within the message.
PAGE 102
- Permission set specified in the network user to permission set relationship. Possible values are: • Device Administrator • Device User Possible values also include any custom permission sets that have been added. - Sign-in method specified in the user to permission set relationship. Possible values are: • local_device • windows • ldap • smartcard Possible values also include the names of third-party authentication agents that have been installed on the device.
PAGE 103
Message: Interface(s): : User to Permission Set Relationship deleted; time="" network_user_name="" permission_set="" sign_in_method= user="" source_IP="" outcome=success EWS, WS* Syslog severity: Informational Explanation: A network user to permission set relationship was deleted. Variables: - see Table 2-2. - see Table 2-2.
PAGE 104
- Authenticated user who deleted all user to permission set relationships. If an unauthenticated user deleted all user to permission set relationships, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to delete all network user to permission set relationships.
PAGE 105
- Network group name specified in the network group to permission set relationship. - Permission set specified in the network group to permission set relationship. Possible values are: • Device Administrator • Device User Possible values also include any custom permission sets that have been added. - Sign-in method that was used to perform authentication.
PAGE 106
- IP address of the client computer that sent the request to delete the network group to permission set relationship. Message: : All Group to Permission Set Relationships deleted; time="" sign_in_method= user=““ source_IP="" outcome=success Interface(s): WS* Syslog severity: Informational Explanation: All group to permission set relationships for a specific remote sign-in method were deleted.
PAGE 107
- see Table 2-2. - Authenticated user who deleted the device CA certificate. If an unauthenticated user deleted the device CA certificate, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to delete the device CA certificate.
PAGE 108
- IP address of the client computer that sent the request to generate a device identity certificate signing request. Message: : Device Identity certificate from CSR installed; time="" source_IP="" outcome=success Interface(s): EWS, WS* Syslog severity: Informational Explanation: A device identity certificate generated from a certificate signing request was installed. Variables: - see Table 2-2.
PAGE 109
- see Table 2-2. - Authenticated user who deleted the device identity certificate. If an unauthenticated user deleted the device identity certificate, the user key-value pair is not contained within the message. - IP address of the client computer that sent the request to delete the device identity certificate.
PAGE 110
Explanation: An Online Certificate Status Protocol URL was added for Kerberos server certificate validation. Variables: - see Table 2-2. - see Table 2-2. - Authenticated user who added the Online Certificate Status Protocol URL. If an unauthenticated user added the Online Certificate Status Protocol URL, the user key-value pair is not contained within the message.
PAGE 111
Explanation: HP Connector Inspector feature was enabled. Variables: - see Table 2-2. - see Table 2-2. - User who enabled the HP Connection Inspector. - IP address of the client computer from which the request to the enable HP Connection Inspector feature was received. - Networking interface on the local device that received the request to enable HP Connection Inspector feature.
PAGE 112
• • • Message: Wired AP STA Interface(s): : HP Connection Inspector Protected Mode settings modified; time="" item=monitoring_window value= old_value= user="" source_IP="" outcome=success interface= EWS Syslog severity: Informational Explanation: The monitoring window setting for the HP Connection Inspector feature was modified. Variables: - see Table 2-2. - see Table 2-2.
PAGE 113
Interface(s): EWS Syslog severity: Informational Explanation: The number of times in protected mode setting for the HP Connection Inspector feature was modified. - see Table 2-2. Variables: - see Table 2-2. - New setting value. - Old setting value. - User who modified the number of times in protected mode setting.
PAGE 114
- IP address of the client computer that sent the request to add the entry to the whitelist / exception list. - Networking interface on the local device that received the request to add the entry to the whitelist / exception list.
PAGE 115
IPsec/Firewall IPsec/Firewall policy Message: : IPsec/Firewall enabled; time="" user=““ source_IP="" outcome=success interface= Interface(s): EWS Syslog severity: Warning Explanation: The IPsec/Firewall policy was enabled. Variables: - see Table 2-2. - see Table 2-2. - User who enabled the IPsec/Firewall policy.
PAGE 116
- IP address of the client computer that sent the request to disable the IPsec/Firewall policy. - Networking interface on the local device that received the request to disable the IPsec/Firewall policy.
PAGE 117
- see Table 2-2. - Old index of the rule in the rules list. Possible values are: 1 - 10 - New index of the rule in the rules list. Possible values are: 1 - 10 - User who modified the index of the rule in the rules list. - IP address of the client computer that sent the request to modify the index of the rule. - Networking interface on the local device that received the request to modify the index of the rule.
PAGE 118
• • Message: AP STA Interface(s): : IPsec/Firewall rule disabled; time="" rule= user=““ source_IP="" outcome=success interface= EWS Syslog severity: Warning Explanation: An IPsec/Firewall rule was disabled. Variables: - see Table 2-2. - see Table 2-2. - Index of rule in the rules list. Possible values are: 1 - 10 - User who disabled the IPsec/Firewall rule.
PAGE 119
IPsec/Firewall address templates Message: Interface(s): : IPsec/Firewall address policy added; time="" policy_name="" user=““ source_IP="" outcome=success interface= EWS Syslog severity: Warning Explanation: An IPsec/Firewall address template was added. Variables: - see Table 2-2. - see Table 2-2. - Template name. - User who added the IPsec/Firewall address template.
PAGE 120
- Template name. - User who deleted the IPsec/Firewall address template. - IP address of the client computer that sent the request to delete the IPsec/Firewall address template. - Networking interface on the local device that received the request to delete the IPsec/Firewall address template.
PAGE 121
• • Message: AP STA Interface(s): : IPsec/Firewall service policy deleted; time="" policy_name="" user=““ source_IP="" outcome=success interface= EWS Syslog severity: Warning Explanation: An IPsec/Firewall service template was deleted. Variables: - see Table 2-2. - see Table 2-2. - Template name. - User who deleted the IPsec/Firewall address template.
PAGE 122
- Networking interface on the local device that received the request to modify the IPsec/Firewall policy advanced option.
PAGE 123
• • AP STA Message: : IPsec policy Modified; time="" policy_name="" item=authentication_type value=IKEv2 old_value=Manual_Keys local_identity_authentication_option= local_identity_type="" item=remote_identity_authentication_option= remote_identity_type="" source_IP="" outcome=success interface= Interface(s): EWS Sys
PAGE 124
Syslog severity: Warning Explanation: An IKEv1 IPsec policy was modified and converted into a manual keys IPsec policy. Variables: - see Table 2-2. - see Table 2-2. - IPsec policy name. - User who modified the IPsec policy. - IP address of the client computer that sent the request to modify the IPsec policy. - Networking interface on the local device that received the request to modify the IPsec policy.
PAGE 125
- Networking interface on the local device that received the request to delete the IPsec policy. Possible values are: • Wired • AP • STA IPsec policy with IKEv1 Message: Interface(s): : IPsec policy added; time="" policy_name="" item=identity_authentication_option value= user="" source_IP="" outcome=success interface= EWS Syslog severity: Warning Explanation: An IKEv1 IPsec policy was added.
PAGE 126
• • Certificates Kerberos - User who modified the IPsec policy. - IP address of the client computer that sent the request to modify the IPsec policy. - Networking interface on the local device that received the request to modify the IPsec policy.
PAGE 127
• • Certificates Kerberos - User who deleted the IPsec policy. - IP address of the client computer that sent the request to delete the IPsec policy. - Networking interface on the local device that received the request to delete the IPsec policy.
PAGE 128
- Networking interface on the local device that received the request to add the IPsec policy.
PAGE 129
- see Table 2-2. - IPsec policy name. - Authentication method the IPsec peer will use to authenticate the local device. Possible values are: • Pre-shared_key • Certificates - Identity type the IPsec peer will use to identify the local device. Possible values are: • Distinguished_Name • FQDN • E-mail • IP_Address • Key-ID - User who modified the IPsec policy.
PAGE 130
Message: Interface(s): : IPsec policy modified; time="" policy_name="" item=local_identity_authentication_option value= old_value= local_identity_type=" " user=”” source_IP="" outcome=success interface= EWS Syslog severity: Warning Explanation: The local identity authentication option in an IKEv2 IPsec policy was modified. Variables: - see Table 2-2.
PAGE 131
• Key-ID - Previous identity type the local device used to identify the IPsec peer. Possible values are: • Distinguished_Name • FQDN • E-mail • IP_Address • Key-ID - Authentication method the local device will use to authentication the IPsec peer. Possible values are: • Certificates • Pre-Shared_Key - User who modified the IPsec policy.
PAGE 132
• Message: STA Interface(s): : IPsec policy modified; time="" policy_name="" item=Key remote_identity_authentication_option=Pre-Shared_Key remote_identity_type="" user=”” source_IP="" outcome=success interface= EWS Syslog severity: Warning Explanation: The pre-shared key contained in an IKEv2 IPsec policy was modified. Variables: - see Table 2-2. - see Table 2-2.
PAGE 133
• • • • • Distinguished_Name FQDN E-mail IP_Address Key-ID - User who modified the IPsec policy. - IP address of the client computer that sent the request to modify the IPsec policy. - Networking interface on the local device that received the request to modify the IPsec policy.
PAGE 134
- IP address of the client computer that sent the request to modify the IPsec policy. - Networking interface on the local device that received the request to modify the IPsec policy.
PAGE 135
IPsec policy with IKEv1 using Kerberos Message: Interface(s): : IPsec configuration change; time="" item=Kerberos_settings value=manual_configuration user = "" source_IP="" outcome=success interface= EWS Syslog severity: Warning Explanation: The manual configuration for Kerberos was modified. Variables: - see Table 2-2. - see Table 2-2. - User who modified the manual configuration.
PAGE 136
- IP address of the client computer that sent the request to import the keytab file. - Networking interface on the local device that received the request to import the keytab file.
PAGE 137
3 Basic logging Chapter 3 – Basic logging 128
PAGE 138
Message: : IPv6 warning: Address Cache Overflow. Address: interface= Interface(s): N/A Syslog severity: Warning Explanation: Configuration of IPv6 address failed. Variables: - see Table 2-2. - Networking interface on the local device that was used to send the message to the syslog server.
PAGE 139
- IP address of the WINS server. - Networking interface on the local device that was used to send the message to the syslog server. Possible values are: • Wired • AP • STA Message: : failed to register system name with secondary WINS server interface= Interface(s): N/A Syslog severity: Warning Explanation: Registration of the system name with the secondary WINS server failed.
PAGE 140
Message: : Security: Snmpv1/v2 get community name is not set interface= Interface(s): EWS, SNMP Syslog severity: Informational Explanation: SNMPv1/v2c Get community name was cleared. Variables: - see Table 2-2. - Networking interface on the local device that was used to send the message to the syslog server.
PAGE 141
Syslog severity: Informational Explanation: Jetdirect security configuration was modified. Variables: - see Table 2-2. - IP address of the client computer that sent the configuration request. - Networking interface on the local device that was used to send the message to the syslog server.
PAGE 142
Interface(s): N/A Syslog severity: Error Explanation: Cover/door open. Variables: - see Table 2-2. Message: : offline or intervention needed Interface(s): N/A Syslog severity: Error Explanation: Offline or intervention needed. Variables: - see Table 2-2. Message: Interface(s): : error cleared N/A Syslog severity: Informational Explanation: Error cleared. Variables: - see Table 2-2.
PAGE 143
© Copyright 2018 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.