This topic presents event log message descriptions for:
M580 CPUs with firmware earlier than version 4.0 (abbreviated “CPU” in column Devices), and
BMENUA0100 OPC UA communication modules (abbreviated “NUA” in column Devices), and
BMENOR2200H remote terminal unit (abbreviated “eNOR” in column Devices)
Event Description | Event additional Description | Facility | Severity | MSGID | MSG:peerAddr | MSG:type | MSG:appMsg | Devices |
|---|---|---|---|---|---|---|---|---|
Successful connection to or from a tool or a device: * Successful login * Successful TCP connection |
Successful login (Data Storage via FTP, FDR Server via FTP, Firmware upload via FTP) |
10 |
6 |
FTP |
remote ip address |
Li1: Successful connection(MNT_ENG_MSG_TYP_CNCTN_SUCCESS) |
"Successful login" |
CPU |
Successful login (Web Server via HTTPS) |
HTTPS |
"(null)" |
"Successful login" |
NUA |
||||
Successful login (firmware upgrade via HTTPS) |
HTTPS |
"(null)" |
"Successful login" |
NUA |
||||
Successful login (OPC-UA) |
OPC-UA |
"(null)" |
"Successful login" |
NUA |
||||
Successful login (Unity Application password via Modbus-Umas) |
DEVICE_MANAGER |
"(null)" |
"Successful login" |
CPU |
||||
Successful login (Web Server via HTTP) |
HTTP |
"(null)" |
"Successful login" OR "Successful connection" (if no User Login M580 Web pages) |
CPU |
||||
Successful TCP connection (no user) |
MODBUS |
remote ip address |
"Successful connection" |
CPU |
||||
Successful TCP connection (no user) |
EIP |
"(null)" |
"Successful connection" |
CPU |
||||
Successful connection on DNP3 communication protocol (about DNP3 master and outstation) |
DNP3 |
remote ip address |
"Successful connection" |
eNOR |
||||
Successful connection on IEC60870 communication protocol (about IEC60870 client and server) |
IEC60870 |
remote ip address |
"Successful connection" |
eNOR |
||||
Connection problem to or from a tool or a device: *TCP connection problem due to ACL check (source IP address/TCP port filtering) * Login problem |
Login problem ( Data Storage via FTP, FDR Server via FTP, Firmware upload via FTP) |
10 |
4 |
FTP |
remote ip address |
Li2: Unsuccessful connection (wrong credential)(MNT_ENG_MSG_TYP_CNCTN_FAILURE) |
"Failed login" |
CPU |
Login problem (Web Server via HTTPS) |
HTTPS |
"(null)" |
"Failed login" |
NUA |
||||
Login problem (firmware upgrade via HTTPS) |
HTTPS |
"(null)" |
"Failed login" |
NUA |
||||
Login problem (OPC-UA) |
OPC-UA |
"(null)" |
"Failed login" |
NUA |
||||
Login problem (Web Server via HTTP) |
HTTP |
remote ip address |
"Failed login" OR "Failed connection" (if no User Login) |
CPU |
||||
Login problem (Unity Application password via Modbus-Umas) |
DEVICE_MANAGER |
remote ip address |
"Failed login" |
CPU |
||||
TCP connection problem (no user) |
MODBUS |
remote ip address |
"Failed connection" |
CPU |
||||
TCP connection problem (no user) |
EIP |
remote ip address |
"Failed connection" |
CPU |
||||
Connection problem on DNP3 communication protocol (about DNP3 master and outstation) |
DNP3 |
remote ip address |
"Failed connection" |
eNOR |
||||
Connection problem on IEC60870 communication protocol (about IEC60870 client and server) |
IEC60870 |
remote ip address |
"Failed connection" |
eNOR |
||||
Disconnection triggered by local or peer: * TCP disconnection * On demand logout |
disconnection triggered by either the peer/user/local |
10 |
6 |
FTP |
"(null)" |
Li5: disconnection triggered by the peer/user(MNT_ENG_MSG_TYP_DISCONNECTION) |
"Disconnection" |
— |
disconnection triggered by either the peer/user/local |
HTTPS |
"(null)" |
"Disconnection" |
NUA |
||||
disconnection triggered by either the peer/user/local |
OPC-UA |
"(null)" |
"Disconnection" |
NUA |
||||
disconnection triggered by either the peer/user/local |
MODBUS |
remote ip address |
"Disconnection" |
CPU |
||||
— |
DNP3 |
"(null)" or remote ip address |
"Disconnection" |
eNOR |
||||
— |
IEC60870 |
"(null)" or remote ip address |
"Disconnection" |
eNOR |
||||
Automatic logout (inactivity timeOut) HTTPS OPC-UA |
Disconnection triggered by a timeout |
10 |
6 |
HTTPS |
"(null)" |
Li6: Disconnection triggered by a timeout(MNT_ENG_MSG_TYP_DSCNCT_TIMEOUT) |
"Auto logout" |
NUA |
Disconnection triggered by a timeout |
OPC-UA |
"Auto logout" |
NUA |
|||||
Major Changes in the system: Parameters run time change outside configuration |
Major change of cycle time or watch dog PLC application parameters change (cycle time, watch dog) |
13 |
5 |
DEVICE_MANAGER |
"(null)" |
Li87: System parameter update (MNT_ENG_MSG_TYP_PARAMETER_UPDATE) |
"XXXX parameter update" (with XXXX that identifies the parameter)XXXX = "Cycle time" Example: Cycle time parameter update |
CPU |
Major Changes in the system: * Application or Configuration download from the device * Export (recording) cybersecurity configuration files from the device |
Download of a configuration file from the device |
13 |
6 |
MODBUS |
"(null)" |
Li8: Download of a configuration file from the device(MNT_ENG_MSG_TYP_CONF_DL) |
"Application download" or "Configuration download" |
CPU |
HTTPS |
"Cybersecurity configuration backup" |
NUA |
||||||
Major Changes in the system |
Upload of Application/Configuration or Configuration only into the device (including CCOTF) Import (restore) cybersecurity configuration file into the device |
13 |
6 |
MODBUS |
"(null)" |
Li9: Upload of a configuration file into the device(MNT_ENG_MSG_TYP_CONF_UL) |
"Application upload" or" Configuration upload" |
CPU NUA |
HTTPS |
"Cybersecurity configuration restore" |
NUA |
||||||
Major Changes in the system |
Upload of Web pages into the device |
13 |
6 |
FTP |
"(null)" |
Li10: Upload of a new firmware in the device(MNT_ENG_MSG_TYP_FIRMWARE_UPDATE) |
"Web pages upload" |
CPU |
Upload of new safety copro |
FTP |
"Safety copro firmware upload" |
CPU |
|||||
Upload of a new firmware in the device |
FTP |
"Firmware upload" |
CPU |
|||||
Upload of a new firmware in the device |
HTTPS |
"Firmware upload" |
NUA |
|||||
Major Changes in the system |
Modification of the time of the device |
13 |
6 |
DEVICE_MANAGER |
"(null)" |
LI15: Modification of the time of the IED |
"Time major update" |
NUA |
Communication parameters run time Successful change outside configuration |
Enable/disable of communication services |
10 |
4 |
DEVICE_MANAGER |
"(null)" |
Li18: Any port, either physical (Serial, USB) or logical (telnet, FTP) activation/deactivation (MNT_ENG_MSG_TYP_PORT_MANAGEMENT) |
"Major communication parameter update: XXXX YYYY"XXXX = "EIP" or "DHCP" or "FTP" or "MODBUS" or "SNMP" or "HTTP" or "SECURITY" or "NTP" or "IPSEC" or "DEVICE_MANAGER" For NUA only:XXXX = "Control Expert Data Flows to CPU only" or "Control Expert Data Flows to Device Network" or "CPU to CPU Data Flows" For NOR only:XXXX = "DNP3 over TLS channel["channel name"]" or "IEC60870 over TLS"YYYY= "enable" or "disable"Example:"Major communication parameter update: FTP enable" |
CPU NUA eNOR |
network physical port change: port link up/down |
Any network physical port status change. Can be the simple status of a Ethernet port, or information gathered from RSTP / HSR / PRP algorithm for redundant systems |
10 |
4 |
DEVICE_MANAGER |
"(null)" |
LI19: Any network physical port status change. Can be the simple status of a Ethernet port, or information gathered from RSTP / HSR / PRP algorithm for redundant systems (MNT_ENG_MSG_TYP_NETWK_PORT_CHG) |
"Major network physical port status change: XXXX link YYYY" XXXX = "ETH" following by decimal number for the port or "FRONT port" YYYY = "link up" or "link down" Example: "Major network physical port status change: ETH1 link up) |
CPU NUA |
Any topology change detected: |
Any topology change detected from RSTP / HSR / PRP |
10 |
4 |
RSTP |
"(null)" |
LI20: Any topology change detected from RSTP / HSR / PRP algorithms for redundant systems (MNT_ENG_MSG_TYP_NTWK_TPLGY_CHG) |
"Topology change detected" or "Topology change detected: XXXX YYYY" XXXX = "ETH" following by decimal number for the port or "FRONT port" YYYY = "enable", "disable", "learning", "forward", "blocking" |
CPU NUA |
Integrity check error: * Digital Signature error, * Integrity only (hash mac) |
Firmware integrity error |
10 |
6 |
DEVICE_MANAGER |
"(null)" |
LI84: Data Integrity Error MNT_ENG_MSG_DATA_INTEGRITY_ERROR |
"Firmware integrity error" |
CPU NUA |
Data integrity error: CS Conf, cert, whitelist, or RBAC) |
DEVICE_MANAGER |
"Data integrity error" |
NUA |
|||||
Major Changes in the system: Reboot |
Reboot after firmware upload |
13 |
4 |
DEVICE_MANAGER |
"(null)" |
LI14: MNT_ENG_MSG_TYP_REBOOT_ORDER |
"Restart" |
CPU NUA |
Major Changes in the system |
PLC Operating Mode change (Run, Stop, Init, halt) Maintenance Mode Safety Operating Modes change (SafeRun, Stop Safe task) |
13 |
5 |
DEVICE_MANAGER |
"(null)" |
LI85: Operating mode change MNT_ENG_MSG_OPERATING_MODE_CHANGE |
"XXXX state update: YYYY" (with XXXX that identifies the object which state change and YYYY that identifies the new state ) XXXX = "PLC" or "PLC safe task" or "Device" YYYY = "INIT" or "STOP" or "RUN" or "HALT" or "Maintenance mode" or "Safe mode" EXAMPLES: "PLC state update: RUN" "PLC state update: Maintenance mode" |
CPU |
Major Changes in the system: Hardware change |
operation on SDCard for module that have |
13 |
6 |
DEVICE_MANAGER |
"(null)" |
LI26: Hardware change MNT_ENG_MSG_HARDWARE_CHANGE |
"Hardware update: XXXX" (with XXXX that describes the update) XXXX = "SD card insertion" or "SD card extraction" |
CPU |
Rotary Wheel position change: Reset, Advanced |
DEVICE_MANAGER |
"Hardware update: XXXX" (with XXXX that describes the update) XXXX = "back to factory mode" or "secure mode" |
NUA |
|||||
Major change in Cybersecurity RBAC (done through Cybersecurity configuration web pages). |
Create user account Delete user account Update user account |
HTTPS |
"(null)" |
Li11: MNT_ENG_MSG_TYP_RBAC_UPDATE |
"Update RBAC" |
NUA |
||
Major change in Cybersecurity Policy (done through Cybersecurity configuration web pages). |
Network services Event log Security policy Security banner |
10 |
4 |
HTTPS |
"(null)" |
Li12:MNT_ENG_MSG_TYP_SECURITY_UPDATE_UPDATE |
"Major Cyber Security parameter update: network services" "Major Cyber Security parameter update: event log" "Major Cyber Security parameter update: security policy" "Major Cyber Security parameter update: security banner" |
NUA |
Major change in Cybersecurity device specific parameters (done through Cybersecurity configuration web pages). |
Enable/Disable & configure IPSEC Enable/Disable & configure OPC-UA Enable/Disable & configure DNP3 |
10 |
4 |
HTTPS |
"(null)" |
Li13: MNT_ENG_MSG_TYP_DSS_UPDATE |
"Major Cyber Security parameter update: IPSEC" "Major Cyber Security parameter update: OPC-UA" |
NUA |
Authorization problem |
An action on a resource from a user or machine is not authorized |
10 |
4 |
HTTPS |
"(null)" |
Li21: MNT_ENG_MSG_TYP_AUTH_REQ |
"Failed authorization" |
— |
Certificate Management |
Add/remove Client certificate |
10 |
4 |
HTTPS |
"(null)" |
Li89: Certificate Management (MNT_ENG_MSG_TYP_CERT_MGT) |
"Add client certificate" "Remove client certificate" |
NUA |
Certificate Management: * Certificate expired |
server certificate expiration detection on restart |
10 |
3 |
DEVICE_MANAGER |
"(null)" |
Li29: Certificate Management (MNT_ENG_MSG_TYP_CERT_EXPIRE) |
"Certificate expired" |
NUA |
Specific for eNOR project: |
||||||||
Authentication problem |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li100:MNT_ENG_MSG_TYPE_AUTHENTICATION_FAILUE |
"channel["channel name"] authentication failed" |
eNOR |
unexpected response |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li101:MNT_ENG_MSG_TYPE_UNEXPECTED_RESPONSE |
"channel["channel name"] unexpected response" |
eNOR |
No response |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li102:MNT_ENG_MSG_TYPE_NO_RESPONSE |
"channel["channel name"] no response" |
eNOR |
Aggressive mode not supported |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li103:MNT_ENG_MSG_TYPE_AGGRESSIVE_MODE_NOT_SUPPORTED |
"channel["channel name"] aggressive mode not supported" |
eNOR |
MAC algorithm not supported |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li104:MNT_ENG_MSG_TYPE_MAC_ALGORITHM_NOT_SUPPORTED |
"channel["channel name"] MAC algorithm not supported" |
eNOR |
Key wrap algorithm not supported |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li105:MNT_ENG_MSG_TYPE_KEYWRAP_ALGORITHM_NOT_SUPPORTED |
"channel["channel name"] key wrap algorithm not supported" |
eNOR |
Authorization problem |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li86:MNT_ENG_MSG_TYP_AUTHORIZATION_FAILURE) |
"channel["channel name"] authorization failed" |
eNOR |
Update key change method not permitted |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li106:MNT_ENG_MSG_TYPE_UPDATE_KEY_CHANGE_METHOD_NOT_PERMITTED |
"channel["channel name"] update key change method not permitted" |
eNOR |
Invalid signature |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li107:MNT_ENG_MSG_TYPE_INVALID_SIGNATURE |
"channel["channel name"] invalid signature" |
eNOR |
Invalid certification data |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li108:MNT_ENG_MSG_TYPE_INVALID_CERTIFICATION_DATA |
"channel["channel name"] invalid certification data" |
eNOR |
Unknown User |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li109:MNT_ENG_MSG_TYPE_UNKNOWN_USER |
"channel["channel name"] unknown user" |
eNOR |
Max session key status request exceed |
— |
10 |
4 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li110:MNT_ENG_MSG_TYPE_MAX_SESSION_KEY_STATUS_REQ_EXCEED |
"channel["channel name"] max session key status request exceed" |
eNOR |
Session key change success |
— |
10 |
6 |
"DNP3_Master" or "DNP3_Outstation" |
remote ip address |
Li111:MNT_ENG_MSG_TYPE_SESSION_KEY_CHANGE_SUCCESS |
"channel["channel name"] session key change success" |
eNOR |
HOSTNAME = Local IP address or null.
APPNAME = Commercial reference name, for example, BMEP584040.
PROCID is not used.
MSG:IssuerAdress = Local IP Address.
MSG:Peer is not used.