››

Security Related Events

The Table below lists the Type of Event, Description, and a link to the respective procedure to further explain the event.

Tellabs 1100 Series Optical LAN - Security Related Events

Type	Description
ADDROLE-FAILURE	Indicates an admin user was unsuccessful in creating a new user role category.
ADDROLE-SUCCESS	An admin user added a new user role. User roles are used to control what a user can or cannot do on the system.
ADDUSER-FAILURE	Indicates that an attempt was made to create a user, but the create attempt failed. This could have been caused by: Password doesn't meet policy - The password that was selected by the user does not conform to password rules and the user was not created. Recreate the user with a password that conforms to policy. Policy is determined by the settings found in Edit->NE User Administration->Local Account User Configuration and all the rules are found in the upper pane. Duplicate username - A user attempted to create a new user with an existing username. Use a different username. NE unable to communicate - User could not be synchronized between the EMS and NE and so user creation failed. Correct any network issues and retry the user creation.
ADDUSER-SUCCESS	Records the time and date a CLI or EMS user is added to the user database.
CERTIFICATE-EXPIRING	Signaled when the device has a certificate that is due to expire within the configured warning period. This event is sent weekly (or the configured interval) within the warning period. The detailed event text includes the date, CN, and number of days. For example:"Certificate CN=xxxx expires in 10 days on 10/5/2011."Note: It is IMPORTANT that the certificate be updated prior to the expiration date given in the warning. If the Expiration date passes on an EMS or ESU, the EMS and NE is unable to communicate and the system can only be managed via the ESU CLI. If the Expiration date passes on an ONT, and TLS is configured on the voice lines of an ONT, then that ONT is unable to register with the switch or make calls.
CERTIFICATE-REVOKED	Signaled when the device attempts to validate a certificate of a peer and the OCSP Online Certificate Status Protocol returns that the certificate has been revoked. The OCSP is used to revoke valid unexpired certificates and deny access to the system.Note: The Additional Text field provides details of which certificate has been found to have been revoked
CHGPWD-FAILURE	Records the time and date a CLI or EMS user failed in attempting to change their password.
CHGPWD-SUCCESS	Records the time and date that a CLI or EMS user changed their password.Note: The Additional Text field indicates: Change Password for User ID <admin>.
DEBUG-ACCESS	Records the time and date a user activated access to the Tellabs debug menus. Users can be restricted from this function by unchecking the "Allow admin debug access" in the Edit Menu > NE User Administration > Local Craft User Configuration screen.
DELROLE-FAILURE	Records the time and date a CLI or EMS user failed in changing their assigned role.
DELROLE-SUCCESS	Indicates that an admin user has deleted a role from the EMS.
DELUSER-FAILURE	Indicates that a user account has been deleted.
DELUSER-SUCCESS	Indicates that a user account has been deleted.
DEVICE-CERTIFICATE-DOWNLOAD-FAILED	Sent when the device cannot download a Certificate to the device. The current certificate is maintained. The detailed text on the alarm includes the certificate type and name. For example:"CA Certificate download xxx.pem failed" or "Device Certificate download xxx.p12 failed."
DEVICE-CERTIFICATE-INSTALLED	Sent when a device successfully installs a new certificate on a device.Note: This event is to ensure that all changes in certificates are logged in the security log. This event does not imply any issue within the system and is provided as a part of security logging.
DISABLEUSER-FAILURE	Records the time and date a CLI or EMS user being disabled failed.
DISABLEUSER-SUCCESS	Indicates that a user account was disabled by an administrative user.
DISPLAY-SECURITY-LOG	Records the time and date the security log was displayed.
DOWNLOADED-CERTIFICATE-INVALID	Sent when a device attempts to download a certificate and finds that the certificate is invalid. The existing certificate is left in place when the downloaded certificate is determined to be invalid and the invalid certificate is discarded. Service to the unit should not be affected. This event could be due to one of the following causes: Certificate not covered by Trust Anchors: On download the ONT attempts to validate the certificate to ensure it is a valid certificate. If the trust anchors that have been downloaded onto the ONT do not include the issuer of the device certificate then validation fails and the certificate is discarded. Check the trust anchors in the trust anchors tgz file on the EMS to ensure they include the issuer of the ONT or ESU's device certificate. Typically this is caught by the EMS prior to download. Time / Date is wrong: The system uses NTP to ensure accurate time / date. If the date is not valid, it is possible that validation of the certificate fails. The system time date can be verified in two ways. One is to log into the ESU via SSH, just after login, the system displays the current time/date. Also the command "ne clock show" displays the current date / time at the ESU CLI. Certificate has already expired: If a certificate that is already expired is sent to the ESU or ONT, it is detected and discarded and the Certificate Invalid event is emitted. Certificate Format Incorrect: If the certificate has been corrupted or is not the correct format the certificate on download generates the Downloaded Certificate Invalid alarm. This should be rare as the EMS validates the certificate prior to download and typically warns the user prior to download.
ENABLEUSER-FAILED	Indicates the failure to enable the user
ENABLEUSER-SUCCESS	Indicates that a user account has been enabled. When disabled, an account cannot be used. The user that enabled the account is shown in the userID field.
LOGIN-FAILURE	Records the time and date a user failed to log into the system due to invalid credentials. The username used in the attempted login is shown in the log.Note: The Additional Text field gives the reason for the login failure such as invalid password, expired user, etc.
LOGIN-SUCCESS	Records the time and date a user successfully logged into the system. The username used login is shown in the log.
LOGINFAILURE-EXCESSIVE-ATTEMPTS	Indicates that a user has failed to successfully log i to the EMS and the retry limit has been reached.
LOGINFAILURE-NOTFOUND	Indicates that a user has attempted to log into the system and the user name was not found in the username database.
LOGINFAILURE-PORT-LOCKED	The user has provided incorrect username or password beyond the set login failure limit and has been temporarily locked out of the system. The most probable cause of this event is: Invalid Login Attempt - A user has used an incorrect username or password too many times and has been temporarily locked out of the system. The system lockout time is configurable. The incident should be investigated to ensure someone is not attempting to gain improper access to the system. The username will be included in the event. The user account can be disabled at the EMS GUI or NE CLI to prevent further accesses by this user.
LOGOUT	Records the time and date a user actively logged out of the system.
MODROLE-FAILURE	Records the time and date a CLI or EMS user failed when attempting to modify their assigned role.
MODROLE-SUCCESS	Indicates that an admin user has successfully modified attributes of one of the roles.
MODUSER-FAILURE	Records the time and date a CLI or EMS user failed attempting to modify their database entry.
MODUSER-SUCCESS	Indicates that an admin user has successfully modified a user's attributes.
PEER-CERT-FAIL-VALIDATION	Indicates that the peers certificate has been found to be invalid. This can only happen if encryption is being used and it is secured by non-stock certificates. The ESU to EMS interface is always encrypted, but by default stock certificates are used (which always validate). If non-stock certificates are used, the possibility exists that the certificate is bad, revoked or expired. Two interfaces use certificates. One is the EMS to NE management interface. The other is ONTs when secure voice is being used with TLS selected in an Equipment Profile.Note: If the peer certificate is invalid, voice calls cannot be initiated. EMS / NE management is not possible if the far end certificate is found to be invalid.The probable causes of this event include: Invalid Dates on Peer Certificate: Each certificate has validity dates which describe the time interval when the certificate is valid. The current time must fall within the ValidTo and ValidFrom dates on the peer certificate for it to be accepted. Check the softswitch or EMS/ESU certificates to ensure they have not expired. NTP incorrect or down: Validation of certificates relies on an accurate date and time on the NE. The date and time are obtained from the NTP server configured in the NE > General Tab, in the NTP Server Group. The date and time on the NE can be obtained at the ESU craft by using z to go to the CLI prompt, then issuing the command ne clock show. The NTP configuration can be seen at the ESU CLI prompt via the command ne Network-time-protocol show command. Trust Anchor/CA Certificate not on ONT/ESU/EMS: To validate a peers certificate you must have the trust anchor associated with that certificate so that you can validate that the Certificate Authority listed in the Issuer field of the certificate actually generated the certificate. If the ONT, ESU or EMS does not have the trust anchor (also known as a CA certificate) then it will fail to validate the certificate and communications will not be possible
PEER-CERT-FAIL-VALIDATION (cont’d)	Peer Certificate is Invalid: It is possible that the peer being communicated with does have an invalid certificate and may possibly be a bad actor. The event gives the IP address of the peer and the Certificate Name (found in the SubjectName field) so that the peer can be traced back to the source. You can see the certificate details by clicking on the event in the EMS Events View.
PEER-CERT-FAIL-VALIDATION (cont’d	CertificateName does not resolve to correct IP: One of the checks on a certificate is the CN or Certificate Name is the hostname or IP address of the owner of the certificate. If the IP address the SSL socket is coming from does not match the hostname (after resolution by DNS to an IP) or the IP address in the certificate, then certificate validation will fail. Typically, this indicates a server is being spoofed and has a valid certificate but not the correct IP address/hostname that is associated with that certificate. It may also be due to an incorrect DNS entry causing the hostname/IP address to not be properly matched. You can see the certificate details by clicking on the event in the EMS Events View.
REMOTE-ACCESS	Records the time and date that a CLI user logs into a remote board within the system. For example, logging into an ONT from the ESU can generate this event.
RESETPWD-FAILURE	Records the time and date that an EMS Admin user failed to reset a password.
RESETPWD-SUCCESS	Records the date and time that an EMS or CLI Admin user reset a user password. The user is forced to change their password on the next use.
SECURITY-MGR-CHG	Records the date and time a CLI or EMS system admin modifies the attributes applied to a system admin. This often occurs as a result of a user with admin privileges changes their password. This also occurs when an admin logs in due to the time of last login being updated.
SECURITY-USER-CHG	Records the date and time a CLI or EMS user modifies the properties of a selected OLT.
SERVER-STARTUP	Informs the user that the EMS server has been restarted and allows the event to be logged for troubleshooting purposes.
SETSECSETTINGS-FAILURE	Records the date and time a failed attempt to change the security settings.
SETSECSETTINGS-SUCCESS	Records the date and time a successful attempt to change the security settings.
TIMEOUT-LOCKED	Records the date and time a user session console is locked. The user is given 10 minutes to log back in. If the user does not log back in within 10 minutes, the session is ended, the user is logged out, and a TIMEOUT_LOGOUT event is generated.
TIMEOUT-LOGOUT	Records the date and time a user was logged out due to inactivity after being locked out due to inactivity.
TIMEOUT-UNLOCK-FAILURE	Records the date and time a user, who has been locked out due to inactivity, attempts to log back into the system and has attempted to enter the password three times without success.
TIMEOUT-UNLOCK-SUCCESS	Records the date and time a user, who has been locked out due to inactivity, logs back into the system.
TL1-LOGIN-FAILURE	Records the date and time a TL1 user has attempted to log into the system and has failed due to improper credentials.
TL1-LOGIN-SUCCESS	Records the date and time that a TL1 user successfully gained access to the system.
TL1-LOGOUT	Records the date and time a user did not keep the session active by re-attempting to login before the timeout and the user was logged out of the TL1 interface.

FEEDBACK: Are you happy with this material?

Thank you Your feedback helps us to continually improve our content.