Event Log Message Descriptions for M580 CPUs (Firmware earlier than Version 4.0), BMENUA0100 and BMENOR2200H (Firmware earlier than Version 3.01)
This topic presents event log message descriptions for:
-
M580 CPUs with firmware earlier than version 4.0 (abbreviated “CPU” in column Devices), and
-
BMENUA0100 OPC UA communication modules (abbreviated “NUA” in column Devices), and
-
BMENOR2200H remote terminal unit (abbreviated “eNOR” in column Devices)
| Event Description | Event additional Description | Facility | Severity | MSGID | MSG:peerAddr | MSG:type | MSG:appMsg | Devices |
|---|---|---|---|---|---|---|---|---|
|
Successful connection to or from a tool or a device: * Successful login * Successful TCP connection |
Successful login (Data Storage via FTP, FDR Server via FTP, Firmware upload via FTP) |
10 |
6 |
FTP |
remote ip address |
Li1: Successful connection(MNT_ENG_MSG_TYP_CNCTN_SUCCESS) |
« Successful login » |
CPU |
|
Successful login (Web Server via HTTPS) |
HTTPS |
« (null) » |
« Successful login » |
NUA |
||||
|
Successful login (firmware upgrade via HTTPS) |
HTTPS |
« (null) » |
« Successful login » |
NUA |
||||
|
Successful login (OPC-UA) |
OPC-UA |
« (null) » |
« Successful login » |
NUA |
||||
|
Successful login (Unity Application password via Modbus-Umas) |
DEVICE_MANAGER |
« (null) » |
« Successful login » |
CPU |
||||
|
Successful login (Web Server via HTTP) |
HTTP |
« (null) » |
« Successful login » OR « Successful connection » (if no User Login M580 Web pages) |
CPU |
||||
|
Successful TCP connection (no user) |
MODBUS |
remote ip address |
« Successful connection » |
CPU |
||||
|
Successful TCP connection (no user) |
EIP |
« (null) » |
« Successful connection » |
CPU |
||||
|
Successful connection on DNP3 communication protocol (about DNP3 master and outstation) |
DNP3 |
remote ip address |
« Successful connection » |
eNOR |
||||
|
Successful connection on IEC60870 communication protocol (about IEC60870 client and server) |
IEC60870 |
remote ip address |
« Successful connection » |
eNOR |
||||
|
Connection problem to or from a tool or a device: *TCP connection problem due to ACL check (source IP address/TCP port filtering) * Login problem |
Login problem ( Data Storage via FTP, FDR Server via FTP, Firmware upload via FTP) |
10 |
4 |
FTP |
remote ip address |
Li2: Unsuccessful connection (wrong credential)(MNT_ENG_MSG_TYP_CNCTN_FAILURE) |
« Failed login » |
CPU |
|
Login problem (Web Server via HTTPS) |
HTTPS |
« (null) » |
« Failed login » |
NUA |
||||
|
Login problem (firmware upgrade via HTTPS) |
HTTPS |
« (null) » |
« Failed login » |
NUA |
||||
|
Login problem (OPC-UA) |
OPC-UA |
« (null) » |
« Failed login » |
NUA |
||||
|
Login problem (Web Server via HTTP) |
HTTP |
remote ip address |
« Failed login » OR « Failed connection » (if no User Login) |
CPU |
||||
|
Login problem (Unity Application password via Modbus-Umas) |
DEVICE_MANAGER |
remote ip address |
« Failed login » |
CPU |
||||
|
TCP connection problem (no user) |
MODBUS |
remote ip address |
« Failed connection » |
CPU |
||||
|
TCP connection problem (no user) |
EIP |
remote ip address |
« Failed connection » |
CPU |
||||
|
Connection problem on DNP3 communication protocol (about DNP3 master and outstation) |
DNP3 |
remote ip address |
« Failed connection » |
eNOR |
||||
|
Connection problem on IEC60870 communication protocol (about IEC60870 client and server) |
IEC60870 |
remote ip address |
« Failed connection » |
eNOR |
||||
|
Disconnection triggered by local or peer: * TCP disconnection * On demand logout |
disconnection triggered by either the peer/user/local |
10 |
6 |
FTP |
« (null) » |
Li5: disconnection triggered by the peer/user(MNT_ENG_MSG_TYP_DISCONNECTION) |
« Disconnection » |
— |
|
disconnection triggered by either the peer/user/local |
HTTPS |
« (null) » |
« Disconnection » |
NUA |
||||
|
disconnection triggered by either the peer/user/local |
OPC-UA |
« (null) » |
« Disconnection » |
NUA |
||||
|
disconnection triggered by either the peer/user/local |
MODBUS |
remote ip address |
« Disconnection » |
CPU |
||||
|
— |
DNP3 |
« (null) » or remote ip address |
« Disconnection » |
eNOR |
||||
|
— |
IEC60870 |
« (null) » or remote ip address |
« Disconnection » |
eNOR |
||||
|
Automatic logout (inactivity timeOut) HTTPS OPC-UA |
Disconnection triggered by a timeout |
10 |
6 |
HTTPS |
« (null) » |
Li6: Disconnection triggered by a timeout(MNT_ENG_MSG_TYP_DSCNCT_TIMEOUT) |
« Auto logout » |
NUA |
|
Disconnection triggered by a timeout |
OPC-UA |
« Auto logout » |
NUA |
|||||
|
Major Changes in the system: Parameters run time change outside configuration |
Major change of cycle time or watch dog PLC application parameters change (cycle time, watch dog) |
13 |
5 |
DEVICE_MANAGER |
« (null) » |
Li87: System parameter update (MNT_ENG_MSG_TYP_PARAMETER_UPDATE) |
« XXXX parameter update » (with XXXX that identifies the parameter)XXXX = « Cycle time » Example: Cycle time parameter update |
CPU |
|
Major Changes in the system: * Application or Configuration download from the device * Export (recording) cybersecurity configuration files from the device |
Download of a configuration file from the device |
13 |
6 |
MODBUS |
« (null) » |
Li8: Download of a configuration file from the device(MNT_ENG_MSG_TYP_CONF_DL) |
« Application download » or « Configuration download » |
CPU |
|
HTTPS |
« Cybersecurity configuration backup » |
NUA |
||||||
|
Major Changes in the system |
Upload of Application/Configuration or Configuration only into the device (including CCOTF) Import (restore) cybersecurity configuration file into the device |
13 |
6 |
MODBUS |
« (null) » |
Li9: Upload of a configuration file into the device(MNT_ENG_MSG_TYP_CONF_UL) |
« Application upload » or » Configuration upload » |
CPU NUA |
|
HTTPS |
« Cybersecurity configuration restore » |
NUA |
||||||
|
Major Changes in the system |
Upload of Web pages into the device |
13 |
6 |
FTP |
« (null) » |
Li10: Upload of a new firmware in the device(MNT_ENG_MSG_TYP_FIRMWARE_UPDATE) |
« Web pages upload » |
CPU |
|
Upload of new safety copro |
FTP |
« Safety copro firmware upload » |
CPU |
|||||
|
Upload of a new firmware in the device |
FTP |
« Firmware upload » |
CPU |
|||||
|
Upload of a new firmware in the device |
HTTPS |
« Firmware upload » |
NUA |
|||||
|
Major Changes in the system |
Modification of the time of the device |
13 |
6 |
DEVICE_MANAGER |
« (null) » |
LI15: Modification of the time of the IED |
« Time major update » |
NUA |
|
Communication parameters run time Successful change outside configuration |
Enable/disable of communication services |
10 |
4 |
DEVICE_MANAGER |
« (null) » |
Li18: Any port, either physical (Serial, USB) or logical (telnet, FTP) activation/deactivation (MNT_ENG_MSG_TYP_PORT_MANAGEMENT) |
« Major communication parameter update: XXXX YYYY »XXXX = « EIP » or « DHCP » or « FTP » or « MODBUS » or « SNMP » or « HTTP » or « SECURITY » or « NTP » or « IPSEC » or « DEVICE_MANAGER » For NUA only:XXXX = « Control Expert Data Flows to CPU only » or « Control Expert Data Flows to Device Network » or « CPU to CPU Data Flows » For NOR only:XXXX = « DNP3 over TLS channel[« channel name »] » or « IEC60870 over TLS »YYYY= « enable » or « disable »Example: »Major communication parameter update: FTP enable » |
CPU NUA eNOR |
|
network physical port change: port link up/down |
Any network physical port status change. Can be the simple status of a Ethernet port, or information gathered from RSTP / HSR / PRP algorithm for redundant systems |
10 |
4 |
DEVICE_MANAGER |
« (null) » |
LI19: Any network physical port status change. Can be the simple status of a Ethernet port, or information gathered from RSTP / HSR / PRP algorithm for redundant systems (MNT_ENG_MSG_TYP_NETWK_PORT_CHG) |
« Major network physical port status change: XXXX link YYYY » XXXX = « ETH » following by decimal number for the port or « FRONT port » YYYY = « link up » or « link down » Example: « Major network physical port status change: ETH1 link up) |
CPU NUA |
|
Any topology change detected: |
Any topology change detected from RSTP / HSR / PRP |
10 |
4 |
RSTP |
« (null) » |
LI20: Any topology change detected from RSTP / HSR / PRP algorithms for redundant systems (MNT_ENG_MSG_TYP_NTWK_TPLGY_CHG) |
« Topology change detected » or « Topology change detected: XXXX YYYY » XXXX = « ETH » following by decimal number for the port or « FRONT port » YYYY = « enable », « disable », « learning », « forward », « blocking » |
CPU NUA |
|
Integrity check error: * Digital Signature error, * Integrity only (hash mac) |
Firmware integrity error |
10 |
6 |
DEVICE_MANAGER |
« (null) » |
LI84: Data Integrity Error MNT_ENG_MSG_DATA_INTEGRITY_ERROR |
« Firmware integrity error » |
CPU NUA |
|
Data integrity error: CS Conf, cert, whitelist, or RBAC) |
DEVICE_MANAGER |
« Data integrity error » |
NUA |
|||||
|
Major Changes in the system: Reboot |
Reboot after firmware upload |
13 |
4 |
DEVICE_MANAGER |
« (null) » |
LI14: MNT_ENG_MSG_TYP_REBOOT_ORDER |
« Restart » |
CPU NUA |
|
Major Changes in the system |
PLC Operating Mode change (Run, Stop, Init, halt) Maintenance Mode Safety Operating Modes change (SafeRun, Stop Safe task) |
13 |
5 |
DEVICE_MANAGER |
« (null) » |
LI85: Operating mode change MNT_ENG_MSG_OPERATING_MODE_CHANGE |
« XXXX state update: YYYY » (with XXXX that identifies the object which state change and YYYY that identifies the new state ) XXXX = « PLC » or « PLC safe task » or « Device » YYYY = « INIT » or « STOP » or « RUN » or « HALT » or « Maintenance mode » or « Safe mode » EXAMPLES: « PLC state update: RUN » « PLC state update: Maintenance mode » |
CPU |
|
Major Changes in the system: Hardware change |
operation on SDCard for module that have |
13 |
6 |
DEVICE_MANAGER |
« (null) » |
LI26: Hardware change MNT_ENG_MSG_HARDWARE_CHANGE |
« Hardware update: XXXX » (with XXXX that describes the update) XXXX = « SD card insertion » or « SD card extraction » |
CPU |
|
Rotary Wheel position change: Reset, Advanced |
DEVICE_MANAGER |
« Hardware update: XXXX » (with XXXX that describes the update) XXXX = « back to factory mode » or « secure mode » |
NUA |
|||||
|
Major change in Cybersecurity RBAC (done through Cybersecurity configuration web pages). |
Create user account Delete user account Update user account |
HTTPS |
« (null) » |
Li11: MNT_ENG_MSG_TYP_RBAC_UPDATE |
« Update RBAC » |
NUA |
||
|
Major change in Cybersecurity Policy (done through Cybersecurity configuration web pages). |
Network services Event log Security policy Security banner |
10 |
4 |
HTTPS |
« (null) » |
Li12:MNT_ENG_MSG_TYP_SECURITY_UPDATE_UPDATE |
« Major Cyber Security parameter update: network services » « Major Cyber Security parameter update: event log » « Major Cyber Security parameter update: security policy » « Major Cyber Security parameter update: security banner » |
NUA |
|
Major change in Cybersecurity device specific parameters (done through Cybersecurity configuration web pages). |
Enable/Disable & configure IPSEC Enable/Disable & configure OPC-UA Enable/Disable & configure DNP3 |
10 |
4 |
HTTPS |
« (null) » |
Li13: MNT_ENG_MSG_TYP_DSS_UPDATE |
« Major Cyber Security parameter update: IPSEC » « Major Cyber Security parameter update: OPC-UA » |
NUA |
|
Authorization problem |
An action on a resource from a user or machine is not authorized |
10 |
4 |
HTTPS |
« (null) » |
Li21: MNT_ENG_MSG_TYP_AUTH_REQ |
« Failed authorization » |
— |
|
Certificate Management |
Add/remove Client certificate |
10 |
4 |
HTTPS |
« (null) » |
Li89: Certificate Management (MNT_ENG_MSG_TYP_CERT_MGT) |
« Add client certificate » « Remove client certificate » |
NUA |
|
Certificate Management: * Certificate expired |
server certificate expiration detection on restart |
10 |
3 |
DEVICE_MANAGER |
« (null) » |
Li29: Certificate Management (MNT_ENG_MSG_TYP_CERT_EXPIRE) |
« Certificate expired » |
NUA |
|
Specific for eNOR project: |
||||||||
|
Authentication problem |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li100:MNT_ENG_MSG_TYPE_AUTHENTICATION_FAILUE |
« channel[« channel name« ] authentication failed » |
eNOR |
|
unexpected response |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li101:MNT_ENG_MSG_TYPE_UNEXPECTED_RESPONSE |
« channel[« channel name« ] unexpected response » |
eNOR |
|
No response |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li102:MNT_ENG_MSG_TYPE_NO_RESPONSE |
« channel[« channel name« ] no response » |
eNOR |
|
Aggressive mode not supported |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li103:MNT_ENG_MSG_TYPE_AGGRESSIVE_MODE_NOT_SUPPORTED |
« channel[« channel name« ] aggressive mode not supported » |
eNOR |
|
MAC algorithm not supported |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li104:MNT_ENG_MSG_TYPE_MAC_ALGORITHM_NOT_SUPPORTED |
« channel[« channel name« ] MAC algorithm not supported » |
eNOR |
|
Key wrap algorithm not supported |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li105:MNT_ENG_MSG_TYPE_KEYWRAP_ALGORITHM_NOT_SUPPORTED |
« channel[« channel name« ] key wrap algorithm not supported » |
eNOR |
|
Authorization problem |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li86:MNT_ENG_MSG_TYP_AUTHORIZATION_FAILURE) |
« channel[« channel name« ] authorization failed » |
eNOR |
|
Update key change method not permitted |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li106:MNT_ENG_MSG_TYPE_UPDATE_KEY_CHANGE_METHOD_NOT_PERMITTED |
« channel[« channel name« ] update key change method not permitted » |
eNOR |
|
Invalid signature |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li107:MNT_ENG_MSG_TYPE_INVALID_SIGNATURE |
« channel[« channel name« ] invalid signature » |
eNOR |
|
Invalid certification data |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li108:MNT_ENG_MSG_TYPE_INVALID_CERTIFICATION_DATA |
« channel[« channel name« ] invalid certification data » |
eNOR |
|
Unknown User |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li109:MNT_ENG_MSG_TYPE_UNKNOWN_USER |
« channel[« channel name« ] unknown user » |
eNOR |
|
Max session key status request exceed |
— |
10 |
4 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li110:MNT_ENG_MSG_TYPE_MAX_SESSION_KEY_STATUS_REQ_EXCEED |
« channel[« channel name« ] max session key status request exceed » |
eNOR |
|
Session key change success |
— |
10 |
6 |
« DNP3_Master » or « DNP3_Outstation » |
remote ip address |
Li111:MNT_ENG_MSG_TYPE_SESSION_KEY_CHANGE_SUCCESS |
« channel[« channel name« ] session key change success » |
eNOR |
-
HOSTNAME = Local IP address or null.
-
APPNAME = Commercial reference name, for example, BMEP584040.
-
PROCID is not used.
-
MSG:IssuerAdress = Local IP Address.
-
MSG:Peer is not used.