Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
V1.1
November 2014
Introduction
This document is designed to provide the reader with all the steps and information on
implementing and using the Intelligent Platform Management Interface (IPMI) and Remote
Management Monitor capabilities supported in the McAfee SIEM operating environment
v9.4 and later.
McAfee SIEM
Revision History
August 2014
V1.0
November 2014
V1.1
McAfee SIEM
Table of Contents
BIOS Update
Enabling IPMI
15
IPMItool
20
32
Appendix A
51
Appendix B
53
Appendix C
60
Appendix D
61
McAfee SIEM
BIOS Update
IPMI and RMM capabilities are only supported on the Generation 4 (GEN4) SIEM appliances. Before
proceeding with this document, make sure you have GEN4 appliances. The two images below highlight the
stark differences between Generation 3 and Generation 4 SIEM appliances. While the examples below
display the 2U Gen4 appliance and the 3U Gen3 appliance, the orange bezel is always indicative of a Gen3
appliance.
GEN4 Appliance
GEN3 Appliance
Within the Gen4 SIEM appliance family, there are some exceptions on which platforms support IPMI
capabilities. Below is a table of what is and is not supported.
IPMI Supported
McAfee SIEM
BIOS Update
Before IPMI and Remote Management can be supported within the McAfee SIEM environment, the BIOS for
each appliance must be at a specific release to enable capabilities within the SIEM Management interface and
SIEM operating environment. As outlined in the previous section, remote management is only available on
Generation 4 and later appliances as well as operating environment v9.4 and later. See previous section for a
description of the appliances to ensure you have a GEN4 appliance.
Check current appliance version
IPMI and RMM capabilities are only supported in the SIEM operating environment v9.4 and above. To check
which McAfee SIEM Operating Environment version your appliance(s) are currently at, log into your ESM
using any flash capable browser. Once the login screen appears, check the lower left corner of the browser
for the version number. It should be version 9.4.0 or greater. See Figure 1 for an example. If your appliance
does not have this version, access the McAfee download page to obtain the latest release. Once it has been
upgraded, continue with the steps following this topic.
The download link is: http://www.mcafee.com/us/downloads/downloads.aspx
Figure 1
While all McAfee SIEM appliances should be on the same operating environment release, it is possible that
this may not be the case in your environment. We recommend checking each appliances SIEM Operating
Environment version. To do this, select the appliance and click the Properties icon (White Square in icon bar
above device tree display) and the resulting dialog will display the version. An example of this is in Figure 2.
Figure 2
McAfee SIEM
BIOS Update
To check the BIOS version, SSH into the appliance and issue the following command:
McAfee-ETM-6000 ~ # dmidecode t 0
The correct BIOS version release date should be at or later than the example highlighted (yellow) above.
If yours is not, continue with the steps on the following pages. If your BIOS version is at or later than this
release date, continue onto the ESM Setup section on page 16.
McAfee SIEM
BIOS Update
Obtaining the BIOS update package
To upgrade the appliance BIOS you will need extract the proper Intel Security BIOS update package to a USB
flash drive. These compressed packages are located on the ESM appliance in the following directory:
/etc/areca/system_bios_update/
The BIOS packages located here are specific Intel Security (McAfee) SIEM Appliances. Do not
attempt to use any other BIOS packages other than what is located here.
The directory will contain files similar, but not exactly, as the ones below:
850-1773-03_032514.zip
850-1904-00_012714.zip
Contents-README.txt
Because BIOS packages may change between SIEM operating environment releases, please refer to
the Contents-README.txt file for the correct package that is to be used for the appliance you
are upgrading.
After you have identified which ZIP package is appropriate for the appliance you are upgrading, use an
application like SCP or WinSCP to download the ZIP package. If your environment requires both zip
packages, please extract each zip to its own properly labeled USB flash drive. Mixing the packages could
render an appliance un-bootable.
Once you have downloaded the zip package, unzip it to the root of your USB flash drive. The drive you use
should be empty, should be a 4GB drive or less and can be formatted using Windows or Linux file systems. It
also does not have to be bootable. The directory on the USB flash drive will look similar to Figure 4 below.
Figure 4
8
McAfee SIEM
BIOS Update
Next, insert the USB flash drive into an unused USB port on the back of the appliance being upgraded. The
rear of both appliances (1U and 2U), and their respective USB ports, are highlighted in Figure 5.
Figure 5
Once the USB flash drive has been attached, re-boot the appliance. To ensure a proper shutdown, use either
the SIEM Administrative interface (browser-based GUI) or a monitor and keyboard attached to the system to
access the LCD emulator in the upper left corner of the console. The shutdown process may take several
minutes so that it can safely complete any outstanding task. Please be patient.
Once the system boots normally, it will display the McAfee Boot Splash screen as shown in Figure 6.
Do not make a selection. Let the system boot as normal. It will auto recognize that the USB drive is
attached and boot from it. The McAfee Splash screen may take up to 60 seconds before proceeding.
Figure 6
9
McAfee SIEM
BIOS Update
After the McAfee boot splash clears, the system will
recognize the USB and will start to boot. However,
depending on when you received your SIEM appliance,
there may have been a BIOS password set and it will
need to be entered in order for the automated BIOS
update process to start. If this is the case in your
environment, the example in Figure 7 will appear. The
password you enter will depend on the type of appliance
you are updating.
For 1U Appliances use:
For 2U Appliances use:
Figure 7
appl1an
@ppl1@nc3
Once you have successfully entered the BIOS password, you should see a screen similar to Figure 8.
Figure 8
At this point it should start updating the system automatically and you will see messages scroll across the
screen. The entire process can take as much as 15 to 20 minutes to complete. There are multiple phases of
the update process as the various subsystems of the motherboard are updated. You may notice that the
appliance cooling system power cycle a number of times, this is normal. You may also notice messages
indicating password failures, this also is normal.
Do not interrupt or reset the update process, remove power to the system, or use the keyboard
(unless prompted) while the update is taking place. Doing so could result in an unbootable
system.
10
McAfee SIEM
BIOS Update
The update process should end successfully with a message similar to Figure 9. It will indicate that the USB
flash drive should be removed and the system rebooted using the front-panel reset button.
Update file configuration: Revision S2600GZ.112
FRU & SDR Update Package for Intel (R) Server Board S2600GZ/GL
Copyright (c) 2013 Intel Corporation.
Auto-detecting chassis model and attached hardware.
This may take up to 1 minute to complete.
FRUSDR update completed.
Setting BIOS Admin and User Password
Successfully Completed
Successfully Completed
BIOS Admin and User Password Set
Updates Completed. Please remove the USB key and reboot using the front panel bu
tton
Fs0:\>
Figure 9
Troubleshooting
You may not always get the display in Figure 9 on your first attempt at updating the BIOS. This could be due
to issues where the FRU flags a few messages or recoverable errors have occurred. The following page(s)
will provide guidance on how to handle some of these issues should they arise.
11
McAfee SIEM
BIOS Update
Chassis Selection
In some instances, after the BIOS appears to have successfully updated, an FRU message indicating an
issue detecting the backplane has occurred (figure 10) and it asks you to determine which chassis is in
use.
ME firmware update completed.
FRUSDR 1.12 is being installed.
Update file Configuration: Revision S2600GZ_112
FRU & SDR Update Package for Intel(R) Server Board S2600GZ/GL
Copyright (c) 2013 Intel Corporation
Auto-detecting chassis model and attached hardware.
This may take up to 1 minute to complete.
Hot-swap HDD backplane detected but its FRU details either corrupted or blank.
Falling back to User chassis selection as auto detection is not possible.!
Select the Chassis
1
Intel(R) Server Chassis R1000
2
Intel(R) Server Chassis R2000
3
Other Chassis
Figure 10
For all McAfee SIEM Appliances, choose option 2 Intel(R) Server Chassis R2000.
Once that is selected, an R2000 Chassis type message (Figure 11) will appear.
Hot-swap HDD backplane detected but its FRU details either corrupted or blank.
Falling back to User chassis selection as auto detection is not possible.!
Select the Chassis
1
Intel(R) Server Chassis R1000
2
Intel(R) Server Chassis R2000
3
Other Chassis
Select the R2000 chassis type
1
R2208/R2216/R2308 chassis
2
R2224 chassis
3
R2312 chassis
4
Intel(R) Server Chassis R2000 with Aux PCIe
Figure 11
Once youve made the selections, the process should continue. However, the process may also stall. If the
process stalls, we recommend rebooting the appliance and perform the BIOS upgrade again. This second
BIOS upgrade should complete successfully and will end with the display similar to page 11.
12
McAfee SIEM
BIOS Update
Password Set Failure
In some instances, after the BIOS appears to have successfully updated, one or more errors indicating
that a Password mismatch has occurred. It may appear like the example in Figure 12.
Update file configuration: Revision S2600GZ.112
FRU & SDR Update Package for Intel (R) Server Board S2600GZ/GL
Copyright (c) 2013 Intel Corporation.
Auto-detecting chassis model and attached hardware.
This may take up to 1 minute to complete.
FRUSDR update completed.
Setting BIOS Admin and User Password
Error: Password Mismatch:entered password doesnt match with current password
Error: Password Mismatch:entered password doesnt match with current password
BIOS Admin and User Password Set
Figure 12
This error(s) should not affect the process and the admin and user passwords will ultimately get set
properly.
BMC Firmware is not Transitioning
In some instances, after the firmware has successfully updated, a message similar to Figure 13 will
appear.
BMC Firmware update Successful
BMC Firmware is not transitioning to operating mode
Could not exit FW transfer mode
An Error occurred
To save the error to a file
Y,N,ESC
Figure 13
If this occurs, press Y. Shortly after, you should receive an Updates Completed
message similar to Figure 9. However, it has been reported that once the USB
drive has been removed and the power switch pressed, the appliance does not
reboot. At this point you have two options. First, press and hold the reset button
(Figure 14) for 20 seconds. If the appliance still does not reboot, it is
recommended that power be removed from the appliance.
Figure 14
13
McAfee SIEM
BIOS Update
If you run into issues not previously highlighted, the update process stalls or prompts you for an entry of
some nature which you do not have the answer for.
DO NOT SHUT OFF THE APPLIANCE
14
McAfee SIEM
Enabling IPMI
Now that the appliance(s) have been updated to the proper BIOS level, you will need to connect each
appliances IPMI port to your network. All of the IPMI capabilities outlined in the following pages are only
supported via the IPMI port. McAfee SIEM appliances do not support Remote Management via the traditional
MGMT1 or MGMT2 ports.
The Figure 15 highlights the IPMI port location on each style (1U or 2U) of SIEM appliance. A standard CAT5
or CAT6 cable can be used and there is no need to use a cross-over cable, as a standard Ethernet cable will
work.
Figure 15
There are several security issues to be considered before enabling the IPMI LAN interface. A
remote station has the ability to control a systems power state as well as being able to gather or
modify certain platform information. To reduce vulnerability it is strongly advised that the IPMI
LAN interface only be enabled in 'trusted' environments where system security is not an issue or
where there is a dedicated secure 'management network'.
Once you have cabled the appliance(s) use the steps on the following pages to set the IP address for each
appliance to enable remote management. To perform these tasks, launch a flash capable browser and log
into the ESMs browser-based interface using the NGCP account.
15
McAfee SIEM
Enabling IPMI
Once logged into the ESM, navigate to one of these locations depending on which appliance you need to
enable Remote Management on. Each appliance type sets the IP address differently. Please make sure you
follow the instructions for the appropriate appliance.
Setting IP address for ESM or All-in-One Appliances:
Select System Properties and then Network Settings. Next, select the Advanced tab
and the dialog in Figure 16 will appear.
Setting IP address for a Receiver, ACE, ELM, ADM, or DEM:
Select Device Properties and then Device Configuration. Next, select the Interface
button and then the Advanced tab and a dialog similar to Figure 16 will appear.
Figure 16 is specific for an ESM, but each device (ERC, ACE, ELM, etc.,.) will have a
similar dialog with the exact same IPMI values.
Figure 16
If for some reason your BIOS update did not complete successfully, the Enable IPMI Settings section
will not appear.
16
McAfee SIEM
Enabling IPMI
Regardless of which appliance you are configuring, the steps outlined here will be the same for all
appliances.
Check the Enable IPMI Settings check box and then fill in the appropriate network settings. Figure 17
provides an example of how these may appear. The VLAN setting is the only optional setting and everything
else will be required.
Figure 17
Once you have completed entering the network settings, click Apply or OK. In the background, the appliance
will have its IPMI IP address set. Then, depending on the appliance you made the settings on, you will see a
similar version of Figure 18 indicating the progress of the action. This may take a few seconds to complete
depending on the activity of the appliance.
When it has completed successfully, both the Apply and OK buttons may be grayed out temporarily.
Figure 18
If something in the preceding steps is different than what was outlined, see the next page for caveats to the
process.
17
McAfee SIEM
Enabling IPMI
Caveats to setting the IPMI Network Settings
Wrong Version
If you have an ESM on version 9.4 but a new or existing ERC, ELM, ACE or other appliance has not been
upgraded, you may still see the IPMI setting for that appliance. However, because IPMI support requires
SIEM operating environment v9.4 and above, the process for setting an IP address may not complete
successfully. If you see a message similar to Figure 19, check the version of your appliance before
proceeding.
Figure 19
Re-keying Notice
For an ERC, ERCELM, ELM, ACE, ADM or DBM appliance, to change the IPMI root password you will need to
perform a re-key operation. On Receiver class devices, the dialog in Figure 20 will appear after you check
Enable IPMI Settings. Page 19 will provide the details on changing the password.
Figure 20
18
McAfee SIEM
Enabling IPMI
Setting IPMI password
Once the network settings have been set, you will receive a prompt (Figure 21) to change the password for
the IPMI root account. Each appliance may have a slightly different dialog depending on appliance model and
operating environment version. Also, there is only one account defined for IPMI and that is root.
Figure 21
McAfee SIEM
IPMItool
As mentioned in the introduction of this document, the Intelligent Platform Management Interface (IPMI)
is an interface used by administrators for out-of-band management of computer systems and monitoring of
their operation. In this section, we highlight the IPMItool application syntax and use case examples will be
highlighted.
IPMItool provides a simple, command-line interface to IPMI-enabled devices through an IPMIv1.5 or
IPMIv2.0 LAN interface. It is offered on a wide variety of platforms including Windows, UNIX, Linux and Mac.
Because of the variety of platforms that IPMItool can exist on, this document uses the Sourceforge syntax
and parameters. Your platform implementation may vary slightly and you are encouraged to review the
documentation for your variant.
IPMItool can be used in two basic forms. Locally on the SIEM appliance that you are managing or remotely
from a workstation or server running IPMItool to the SIEM appliance you need to manage.
The syntax for local access is:
McAfee-ETM-6000 ~ # ipmitool
<command> <parameters>
The syntax for remote access is (See Appendix A for additional arguments):
or
[user@linux ~]# ipmitool H <remote_IP> U <username> <command> <parameters>
It should be noted that remote use of IPMItool requires port 623. This cannot be changed. If
there is a firewall or other device between the IPMItool client and the McAfee SIEM appliance,
you will need to ensure that this port is open for traffic to pass.
IPMItool Examples
The examples on the following pages all use remote techniques. However, simply removing the H and U
parameters and their associated values from the command string will allow for the same results if executed
on the local appliance or via SSH to the local appliance. Also, these examples do not include the password
parameter and you will be prompted for the password before the command can execute.
In the following examples, we only highlight the command arguments and not the common items for each
command. In the example below, the syntax in grey is common to all examples and the arguments in blue
are what we are highlighting. The username (-U) is always root and the password was set in the previous
Enabling IPMI section.
ipmitool -U root -H 10.1.1.13 chassis status
Because of the extensive command set of IPMItool, we are only highlighting the commands that would be the
most valuable for the wider McAfee SIEM customer base. At the end of this section there are some links you
can reference to learn more about additional IPMItool commands. In addition, the appendices have a
complete list of commands, arguments and parameters.
20
McAfee SIEM
IPMItool
IPMItool not only can query a sensor, it has the ability to make changes to the system at the BIOS
level as well as the ability to control power up and power down states. Any use or misuse of a
command that changes the operation of the McAfee SIEM appliance could result in data lost.
on
false
inactive
false
false
always-on
inactive
inactive
false
false
not allowed
allowed
allowed
allowed
false
false
false
false
21
McAfee SIEM
IPMItool
Query the Field Replaceable Unit (fru) Inventory
Print built-in FRU (Field Replaceable Unit) inventory and scan SDR (Sensor Data Record) for FRU locators
and their values. The example below shows a number of interesting items. First, highlighted in blue is the
product name. This is what was entered at the time of manufacture. Next, the area highlighted in red is a
power supply. In this example, the power supply was slid out of the machine used in testing and as you can
see from the example below, it is shown as not present.
ipmitool -U root -H 10.1.1.13 fru
FRU Device Description
Chassis Type
Chassis Part Number
Chassis Serial
Chassis Extra
Chassis Extra
Board Mfg Date
Board Mfg
Board Product
Board Serial
Board Part Number
Product Manufacturer
Product Name
Product Part Number
Product Version
Product Serial
Product Asset Tag
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
HS Backplane 1 (ID 5)
Fri Mar 30 10:31:00 2012
Intel Corporation
F2U12X35HSBP
QSRU21300568
G43212-250
22
McAfee SIEM
IPMItool
Query the Sensor Data Record (sdr)
Sensor Data Records (SDR) contains information about the type and number of sensors present on a given
appliance. An individual sensor record describes a specific sensor and its state or status. The sensor records
are stored in a central, non-volatile storage area, which is managed by the BMC. This storage area is called
the Sensor Data Record Repository. Using IPMItool, we can query that repository for the sensors and their
status. An example is below.
For a complete list of the BMC Core Sensors and possible return codes (offset triggers) please
see Table 61 in the Intel Server Board S2600GZ / GL Technical Product Specification Guide.
http://www.intel.com/support/motherboards/server/sb/CS-033134.htm
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0x00
0x0a
0x00
0x00
0x00
11.94 Volts
4.96 Volts
3.25 Volts
28 degrees C
22 degrees C
43 degrees C
28 degrees C
32 degrees C
27 degrees C
28 degrees C
11956 RPM
12152 RPM
12054 RPM
Not Readable
disabled
disabled
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ns
ns
ns
NOTE: The full sdr command results are truncated in the example above to preserve page space.
The column format from the sdr list output above is:
Sensor Type or ID
Sensor Reading
Sensor Status
This is the type of sensor. There can be multiple entries of the same type. For
example, there could be one VCORE sensor for each processor. This has a 16
character max length.
This is the current reading of the sensor. Where available, the reading is
translated into the appropriate units (for example, degrees, volts or RPM).
This indicates the sensor status. Possible values are:
ok The sensor is present and operating correctly
ns No sensor (corresponding reading will say disabled or Not Readable)
nc non-critical error regarding the sensor
cr critical error regarding the sensor
nr non-recoverable error regarding the sensor
23
McAfee SIEM
IPMItool
If the elist parameter is used, it will add the entity ID and the asserted discrete states.
ipmitool -U root -H 10.1.1.13 sdr elist
BB P1 VR Temp
Front Panel Temp
SSB Temp
BB P2 VR Temp
BB Vtt 2 Temp
BB Vtt 1 Temp
HSBP 1 Temp
Exit Air Temp
LAN NIC Temp
System Fan 1
System Fan 2
System Fan 3
System Fan 4
System Fan 5
|
|
|
|
|
|
|
|
|
|
|
|
|
|
20h
21h
22h
23h
24h
25h
29h
2Eh
2Fh
30h
32h
34h
36h
38h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7.1
12.1
7.1
7.1
7.1
7.1
7.1
7.1
7.1
29.1
29.2
29.3
29.4
29.5
|
|
|
|
|
|
|
|
|
|
|
|
|
|
28 degrees
22 degrees
43 degrees
28 degrees
32 degrees
27 degrees
28 degrees
33 degrees
42 degrees
11956 RPM
12152 RPM
12054 RPM
12054 RPM
12152 RPM
C
C
C
C
C
C
C
C
C
The column format from the sdr elist output above is:
Sensor Type or ID
Sensor Number
Sensor Status
Entity ID and
Instance
Sensor Reading
This is the type of sensor. There can be multiple entries of the same type.
For example, there could be one VCORE sensor for each processor. This
has a 16 character max length
The numeric value of the sensor. Once known, it can be used as a
parameter to query the sensor directly. Examples of this are on the
following page.
This is the current reading of the sensor. Where appropriate, the reading
is translated into the appropriate units (for example, degrees for
temperature sensor).
Using the elist parameter provides additional values. These are Sensor Number (orange) and Entity
(green). These new values can provide additional capabilities when added to the command syntax. Notice
that some sensors can have the same entity (green) parent, 29 for system fan or 7 for internal temperature.
These values can be used with the entity parameter to display values for just those sensors. Sensor Number
(orange) is the unique ID for a given sensor and can be used with the sel parameter to obtain log and
sensor information.
Example of using specific Sensor Names, Numbers or Entity values to query specific sensors or groups of
sensors are on the following pages.
24
McAfee SIEM
IPMItool
Query the SDR for Fan Device state
Ex #1: ipmitool -U root -H 10.1.1.13 sdr entity 29
Fan Redundancy
System Fan 1
System Fan 2
Fan 1 Present
Fan 2 Present
|
|
|
|
|
0Ch
30h
32h
40h
41h
|
|
|
|
|
ok
ok
ok
ok
ok
|
|
|
|
|
29.1
29.1
29.2
29.1
29.2
|
|
|
|
|
Fully Redundant
11956 RPM
12054 RPM
Device Present
Device Present
| 0Ch | ok
| 30h | ok
| 40h | ok
The example above queries the entity 29 and instance 1 for a specific fan.
Query the SDR for Power Supply state
ipmitool -U root -H 10.1.1.13 sdr entity 10
PS1
PS2
PS1
PS2
PS1
PS2
PS1
PS2
Status
Status
Input Power
Input Power
Curr Out %
Curr Out %
Temperature
Temperature
|
|
|
|
|
|
|
|
50h
51h
54h
55h
58h
59h
5Ch
5Dh
|
|
|
|
|
|
|
|
ok
ok
ns
ok
ns
ok
ns
ok
|
|
|
|
|
|
|
|
10.1
10.2
10.1
10.2
10.1
10.2
10.1
10.2
|
|
|
|
|
|
|
|
Presence detected
No Reading
220 Watts
No Reading
25 unspecified
No Reading
28 degrees C
The example above queries the entity for the appliance power supplies. In this example, you
can see that the Power Supply unit 1 has been removed from the appliance.
Query the SDR for Hard Drive state
ipmitool -U root -H 10.1.1.13 sdr entity 15
HDD 0 Status
HDD 1 Status
HDD 2 Status
HDD 3 Status
HS Backplane 1
|
|
|
|
|
F0h
F1h
F4h
F5h
00h
|
|
|
|
|
ok
ok
ok
ok
ns
|
|
|
|
|
15.1
15.1
15.1
15.1
15.1
| Drive Present
| Drive Present
|
|
| Logical FRU @05h
The example above queries the entity for the hard drives. In this example, you can see that
HDD 2 and HDD 3 are not present.
25
McAfee SIEM
IPMItool
Lastly, a couple variants for a sdr query.
Or verbose mode which will even more labeling for the thresholds
26
McAfee SIEM
IPMItool
Query the Sensor information (sensor)
The sdr parameter is useful for current state. However, to view the complete sensor list
including thresholds, you will need to use the sensor parameter. Below are some common
example of how to use the parameter.
To query the complete sensor list.
|
|
|
|
|
|
|
|
0x0
0x0
27.000
21.000
12054.000
12348.000
11.935
4.959
|
|
|
|
|
|
|
|
discrete
discrete
degrees C
degrees C
RPM
RPM
Volts
Volts
|
|
|
|
|
|
|
|
0x0000|
0x0a00|
ok
|
ok
|
ok
|
ok
|
ok
|
ok
|
na
na
na
na
na
na
na
na
|
|
|
|
|
|
|
|
na
na
0.000
0.000
1715.000
1715.000
10.635
4.416
|
|
|
|
|
|
|
|
na
na
5.000
5.000
1960.000
1960.000
10.947
4.546
|
|
|
|
|
|
|
|
na
na
110.000
50.000
na
na
13.027
5.415
|
|
|
|
|
|
|
|
na
na
115.000
55.000
na
na
13.391
5.566
|
|
|
|
|
|
|
|
na
na
na
na
na
na
na
na
NOTE: The full sensor command results are truncated in the example above to preserve page space.
Status
LNR
LCR
LNC
UNC
UCR
UNR
This is the type or name of sensor. There can be multiple entries of the same
type. For example, there could be one VCORE sensor for each processor.
This is the current reading of the sensor.
This is the units of the sensor reading (e.g., degrees for temperature sensor).
Discrete is a binary sensor; other values are generally self explanatory.
This indicates the status of the sensor. Possible values:
ok okay
na not available
a hex value
On the following pages are a few examples of how to use the sensor parameter. Also see
Appendix B for a syntax reference on sensor.
27
McAfee SIEM
IPMItool
Query the status of a particular hard drive.
ipmitool -U root -H 10.1.1.13 sensor get 'HDD 0 Status'
Locating sensor record...
Sensor ID
: HDD 0 Status (0xf0)
Entity ID
: 15.1
Sensor Type (Discrete): Drive Slot / Bay
States Asserted
: Drive Slot
[Drive Present]
The value within the single quotes is the sensor type (name) in column 1 from the
previous page example.
Query the status of the Power Supplies.
Ex #1: ipmitool -U root -H 10.1.1.13 sensor get ' PS1 Status'
Locating sensor record...
Sensor ID
: PS1 Status (0x50)
Entity ID
: 10.1
Sensor Type (Discrete): Power Supply
Notice that the presence detected value exists in Power Supply 2 and not on Power
Supply 1. This means that the PS1 unit may not plugged into the appliance.
28
McAfee SIEM
IPMItool
Query the input power of the Power Supplies.
Ex #1: ipmitool -U root -H 10.1.1.13 sensor get ' PS1 Input Power'
: Unavailable
: unc+ ucr+
: unc+ ucr+
Ex #2: ipmitool -U root -H 10.1.1.13 sensor get ' PS2 Input Power'
Locating sensor record...
Sensor ID
: PS2 Input Power (0x55)
Entity ID
: 10.2
Sensor Type (Analog) : Other
Sensor Reading
: 228 (+/- 0) Watts
Status
: ok
Lower Non-Recoverable : na
Lower Critical
: na
Lower Non-Critical
: na
Upper Non-Critical
: 868.000
Upper Critical
: 920.000
Upper Non-Recoverable : na
Assertion Events
:
Assertions Enabled
: unc+ ucr+
Deassertions Enabled : unc+ ucr+
Again notice that the Power Supply 2 values are consistent with a supply that is functioning
where as Power Supply 1 clearly shows it is not present.
29
McAfee SIEM
IPMItool
Query the System Event Log
The System Event Log (SEL) provides storage of all system events. You can view the contents of
the event log with IPMItool. The SEL keeps the last 12 events.
Query the SEL
ipmitool -U root -H 10.1.1.13 sel list
2
3
4
5
6
7
8
9
a
b
c
d
e
|
|
|
|
|
|
|
|
|
|
|
|
|
06/13/2014
06/13/2014
06/13/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
|
|
|
|
|
|
|
|
|
|
|
|
|
19:19:43
19:19:43
19:19:43
15:33:03
15:33:03
15:33:06
15:33:06
15:33:08
15:33:08
15:33:16
15:33:25
15:34:36
15:34:36
|
|
|
|
|
|
|
|
|
|
|
|
|
2
3
4
5
6
7
8
9
a
b
c
d
e
|
|
|
|
|
|
|
|
|
|
|
|
|
06/13/2014
06/13/2014
06/13/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
06/16/2014
|
|
|
|
|
|
|
|
|
|
|
|
|
19:19:43
19:19:43
19:19:43
15:33:03
15:33:03
15:33:06
15:33:06
15:33:08
15:33:08
15:33:16
15:33:25
15:34:36
15:34:36
|
|
|
|
|
|
|
|
|
|
|
|
|
30
McAfee SIEM
IPMItool
Query the SEL to get more data for a specific event
ipmitool -U root -H 10.1.1.13 sel get 0x02
SEL Record ID
Record Type
Timestamp
Generator ID
EvM Revision
Sensor Type
Sensor Number
Event Type
Event Direction
Event Data (RAW)
Description
:
:
:
:
:
:
:
:
:
:
:
Sensor ID
:
Entity ID
:
Sensor Type (Discrete):
States Asserted
:
0002
02
06/16/2014 15:33:06
0020
04
Power Unit
02
Generic Discrete
Deassertion Event
01ffff
Redundancy Lost
Pwr Unit Redund (0x2)
21.1
Power Unit
Redundancy State
[Redundancy Lost]
[Non-Redundant: Sufficient from Redundant]
The value 0x02 is the example is the record ID and you can see this in the first sel example
on the previous page.
31
McAfee SIEM
The Embedded Web Console is available without the requirements for any agents or remote IPMItools and is
always accessible regardless of the state of the operating system. The web console is able to:
View the sensors, event log, and asset inventory of the system.
Retrieve and download the diagnostics log, containing important information about system crashes.
Launch KVM and media redirection Intel Remote Management Module (Intel RMM) required.
Configure e-mail or SNMP alerting as well as other settings.
This section will give you a description of a number of areas within the Integrated BMC Web Console that
have value relative to the McAfee SIEM appliances. However, there are some areas that could cause loss of
contact or service interruptions should you make modification. We strong encourage you limit your activity
to the sections we have outlined.
The console is divided into four tabs in a horizontal menu. Within each tab, a menu is provided on the left
side. Each tab and each menu option within each tab has a short description on its function. Figure 22 is a
legend of each Tab and its associated Menu options.
Figure 22
32
McAfee SIEM
Figure 23
If for some reason you do not see the dialog above, check with your networking team to ensure
that your desktop has access to the IPMI IP address. For security reason, the IPMI IP address may
be on a different subnet. In addition, you should ensure that the IPMI NIC has been cabled to your
switched environment. See page 15 for the location of the IPMI NIC.
Once the dialog above appears, enter the user root and the password you used to set the IPMI root password
on page 17. When successful, you will see Figure 15 (following page), the System Information page of the
BMC Web Console.
33
McAfee SIEM
Figure 24
As you navigate through the menu options, the browser will fetch information to populate the section you
navigated to. Sometimes, it may take several seconds or more for the display to fully populate. During this
time you will see a progress bar on the right side of the page, just beneath the blue horizontal line that
separates the header of the section and its content. The progress bar will look similar to the image below.
At this point, feel free to navigate through the options using the legend on page 36 to get acquainted with the
interface and the return time performance of certain pages.
34
McAfee SIEM
Figure 25
The Sensor Readings displays system sensor information including status, health, and reading value every
60 seconds by default. A list of option for the Sensor Readings page is below.
Option
Task
Refresh button
35
McAfee SIEM
Figure 26
The following table lists the options available for Server Health.
Option
Task
36
McAfee SIEM
Figure 27
NOTE: The time value, at the top of the dialog, will be reset when the appliance is powered off.
37
McAfee SIEM
Do not make any changes within this dialog. Any change to the IPMI IP address should always
be done via the ESM browser-based interface. The two additional LAN channels, Baseboard
MGMT and MGMT 2 are the same as the SIEM MGMT1 and MGMT2 ports but should be left at
their default values. Any modification here will cause the appliance to become unreachable by the
SIEM environment.
Figure 28
38
McAfee SIEM
MAC Address
Task
Used to enable LAN Failover (only available on EPSD
Platforms Based on Intel Xeon Processor E5 4600/2600/2400/1600/1400
Product Families)
39
McAfee SIEM
By default, root is the only user enabled and is the user account whose password is set when
changing the NGCP account password in the ESM browser-based interface. Do not change the
password here. Also, while other users can be enabled, McAfee strongly recommends leaving the
configuration as shown in figure 29.
Figure 29
This page allows the operator to configure the IPMI users and privileges for this server:
To delete a user, select the user in the list and click Delete User.
To add a user, select an empty slot in the list and click Add User.
40
McAfee SIEM
Figure 30
41
McAfee SIEM
Alert Destination #1 / #2
Save button
Task
Select one or more system events that will trigger an alert.
Click to select or clear all events.
42
McAfee SIEM
Figure 31
To launch the console redirect, click the Launch Console button. Once done, two dialogs will
appear. See examples below. Figure 32 prompt you to that a Java package will be downloaded.
Figure 33 asks you to open the package.
Figure 32
Figure 33
43
McAfee SIEM
NOTE: Java will have to be installed in order to take advantage of this capability. Java Run time
Environment (JRE) Version 6 Update 22 or higher is required.
Once Java has been installed, click OK on the opening of the JNLP file, Figure 24 (previous page).
This will then launch the Java Run Time Environment. You may briefly see a Java splash screen.
At this point, one of two scenarios will occur.
Scenario #1
Once Java is loaded, a Security Warning
popup, Figure 34, will ask you to confirm that
this application should be run. Check Accept
and then click Run.
Figure 34
Figure 35
44
McAfee SIEM
Figure 36
Previous to update 51, the pop-up similar to the ones in Scenario #1 would have appeared. However,
starting with Java 7 Update 51, a new Security Exception list has been added and you will need to provide
an exception in order to proceed.
To do this, go to Control Panel, then select Java. Next, select the Security tab. The Security dialog will look
similar to the example in Figure 37.
Figure 37
Next, click the Edit Site List button and enter the full path of the appliances IPMI NIC. The example in Figure
37 displays the completed exception list. Once this entry is saved, the Java app will allow access to the
Remote Control app and scenario #1 should occur.
NOTE: You also may need to make additional security adjustments on your desktop. Applications such as
Windows Firewall or McAfee End-Point products may also prevent access this application.
45
McAfee SIEM
Figure 39
46
McAfee SIEM
While the McAfee SIEM appliances are ACPI aware, it is possible for the Graceful OS Shutdown to
not function properly or timeout if the appliance is performing other tasks. After a Graceful
Shutdown has been requested, if the system does not shut down as requested, the command
cannot be executed again for five minutes. However, McAfee recommends that powering down the
appliance(s) should always be done via the ESM browser-based interface.
Figure 40
47
McAfee SIEM
Task
Reset Server
Check this option to enter into the BIOS setup after resetting the
server.
Graceful Shutdown
Power ON Server
Select option to immediately power off the host, and then power it
back on after one second.
Note: All power control actions are done through the BMC and are immediate actions. It is strongly
suggested to gracefully shut through the ESM browser-based interface.
48
McAfee SIEM
While this dialog will allow administrators to perform graceful shutdowns of the SIEM appliances,
McAfee recommends that resetting or powering down the appliance should always be done via the
ESM browser-based interface.
Figure 41
49
McAfee SIEM
Task
Power Button
Chassis ID Button
When the Chassis ID button is pressed, the chassis ID LED changes to solid
on. If the button is pressed again, the chassis ID LED turns off.
Reset Button
Graceful Shutdown
Power LED
Status LED
Chassis ID LED
The Reset button is used to reset the server while system is ON.
Select option to soft power off the host.
The Power LED shows the system power status. If the Power LED is green,
the system is ON. If the Power LED is grey, the system is OFF.
The Status LED reflects the system status LED status and it is automatically
in sync with the BMC every 60 seconds. This reflects the System Status LED.
The Chassis ID LED shows the current system chassis ID status. If the
Chassis ID LED is blue, the Chassis ID is indefinite ON. If
the Chassis ID LED is grey, the Chassis ID is OFF
50
McAfee SIEM
-a
-A <authtype>
-c
-e <sol_escape_char>
-k <key>
-y <hex key>
-C <ciphersuite>
-E
-f <password_file>
-h
-H <address>
-I <interface>
-L <privlvl>
-m <local_address>
-o <oemtype>
-O <sel oem>
-p <port>
Use supplied character for SOL session escape character. The default is
to use ~ but this can conflict with ssh sessions.
Use supplied Kg key for IPMIv2 authentication. The default is not to
use any Kg key.
Select OEM type to support. This usually involves minor hacks in place
in the code to work around quirks in various BMCs from various
manufacturers. Use -o list to see a list of current supported OEM types.
Open selected file and read OEM SEL vent descriptions to be used
during SEL listings. See examples in contrib dir for file format.
Remote IPMI server UDP port to connect to. Default is 623.
51
-P <password>
McAfee SIEM
-S <sdr_cache_file>
-t <target_address>
-U <username>
-v
-V
Use local file for remote SDR cache. Using a local SDR cache can
drastically increase performance for commands that require
knowledge of the entire SDR to perform their function. Local SDR cache
from a remote system can be created with the sdr dump command.
Bridge IPMI requests to the remote target address.
Remote IPMI server username. For McAfee SIEM appliances this will
always be root.
Increase verbose output level. This option may be specified multiple
times to increase the level of debug output. If given three times you
will get hex dumps of all incoming and outgoing packets.
Display version information.
52
McAfee SIEM
VAL
HEX
STRING
==============================================
0
0x00
Chassis
2
0x02
Bridge
4
0x04
SensorEvent
6
0x06
Application
8
0x08
Firmware
10
0x0a
Storage
12
0x0c
Transport
i2c
spd
lan
Usage:
chassis <status|power|identify|policy|restart_cause|
poh|bootdev|bootparam|selftest>
Example:
status
Displays information regarding the high-level status of the system chassis and
main power subsystem.
Power (see power section below)
identify <interval>
Control the front panel identify light. Default is 15. Use 0 to turn off.
Policy <state>
53
McAfee SIEM
always-on
Turn on when power is restored.
previous
Returned to previous state when power is restored.
always-off
Stay off after power is restored.
restart_cause
Query the chassis for the cause of the last system restart.
poh
This command will return the Power-On Hours counter.
disk
Force boot from BIOS default boot device
safe
Force boot from BIOS default boot device, request Safe Mode
diag
Force boot from diagnostic partition
cdrom
Force boot from CD/DVD
bios
Force boot into BIOS setup
54
McAfee SIEM
force_safe
Force boot from BIOS default boot device, request Safe Mode
force_diag
Force boot from diagnostic partition
force_cdrom
Force boot from CD/DVD
force_bios
Force boot into BIOS setup
selftest
Will display a pass or fail of the chassis components.
Shortcut to chassis power commands and performs a chassis control command to
view and change the power state.
Usage:
power <status|on|off|cycle|reset|diag|soft>
Example:
status
Show current chassis power status.
on
Power up chassis.
power
off
Power down chassis into soft off (S4/S5 state). WARNING: This command does
not initiate a clean shutdown of the operating system prior to powering down the
system.
cycle
Provides a power off interval of at least 1 second. No action should occur if
chassis power is in S4/S5 state, but it is recommended to check power state
first and only issue a power cycle command if the system power is on or in
lower sleep state than S4/S5.
reset
This command will perform a hard reset.
diag
Pulse a diagnostic interrupt (NMI) directly to the processor(s).
event
mc
soft
Initiate a soft-shutdown of OS via ACPI. This can be done in a number of ways,
commonly by simulating an over temperature or by simulating a power button
press. It is necessary for there to be Operating System support for ACPI and some
sort of daemon watching for events for this soft power to work.
Send pre-defined events to MC
55
McAfee SIEM
Print Sensor Data Repository entries and readings. Each command will display a
slightly different output but the main elements will be Sensor Name, Sensor
Number, Status and Entity ID. See Appendix C for an explanation Entity values.
Note: Depending on which IPMI command you use the sensor number that is
displayed for an event might appear in slightly different formats. A sensor number
can be displayed as either 1Fh or 0x1F.
Usage:
sdr <list|elist|type|info|entity|dump|fill>
Example:
ipmitool sdr elist
Parameter:
-v
Verbose output.
Arguments:
sdr
The default output will only display full and compact sensor types, to see all
sensors use the all type with this command.
Valid types are:
all
All SDR records (Sensor and Locator)
full
Full Sensor Record
compact
Compact Sensor Record
event
Event-Only Sensor Record
mcloc
Management Controller Locator Record
fru
FRU Locator Record
generic
Generic SDR records
| 30h | ok
7.1 | 28 degrees C
56
McAfee SIEM
| 32h | ok
| 98h | ok
| 99h | ok
| 12.1 | 24 degrees C
| 3.1 | 57 degrees C
| 3.2 | 53 degrees C
info
This command will query the BMC for SDR information.
entity <id>[.<instance>]
Displays all sensors associated with an entity. Get a list of valid entity ids on the
target system by issuing the sdr elist command. A list of all entity ids can be
found in the IPMI specifications.
dump <file>
Dumps raw SDR data to a file. This data file can then be used as a local SDR cache
of the remote managed system with the -S <file> option on the ipmitool
command line.
This can greatly improve performance over system interface or remote LAN.
fill sensors
fill <filename>
Creates the SDR repository for the current configuration or dumps raw SDR data
to a file.
Print detailed sensor information
Usage:
sensor <list|get|thresh|reading> -v
Example:
ipmitool sensor list
Parameter:
-v
Verbose output.
Arguments:
sensor
list
Lists sensors and thresholds in a wide table format. Leaving this argument off will
produce the same wide format table.
get <id> ... [<id>]
Prints information for sensors specified by name.
Upper Non-Recoverable
Upper Critical
Upper Non-Critical
Lower Non-Critical
Lower Critical
Lower Non-Recoverable
57
McAfee SIEM
fru
This command will read all Field Replaceable Unit (FRU) inventory data and
extract such information as serial number, part number, asset tags, and short
strings describing the chassis, board, or product.
Usage:
fru print
Example:
ipmitool fru print
gendev
Usage:
sel
<info|clear|list|elist|delete|save|writeraw|readraw|time>
Example:
ipmitool sel elist
Arguments:
info
This command will query the BMC for information about the System Event Log
(SEL) and its contents.
sel
clear
This command will clear the contents of the SEL. It cannot be undone so be
careful.
list | elist
When this command is invoked without arguments, the entire contents of the
System Event Log are displayed. If invoked as elist it will also use the Sensor
Data Record entries to display the sensor ID for the sensor that caused each event.
Note this can take a long time over the system interface.
<count>|first <count>
Displays the first count (least-recent) entries in the SEL. If count is zero, all
entries are displayed.
last <count>
Displays the last count (most-recent) entries in the SEL. If count is zero, all
entries are displayed.
delete <number>
Delete a single event.
save <file>
Save SEL records to text file that can be fed back into the event file ipmitool
command. This can be useful for testing Event generation by building an
appropriate Platform Event Message file based on existing events. Please see the
58
McAfee SIEM
writeraw <file>
Save SEL records to a file in raw, binary format. This file can be fed back to the
sel readraw ipmitool command for viewing.
readraw <file>
Read and display SEL records from a binary file. Such a file can be created using
the sel writeraw ipmitool command.
time
get
Displays the SEL clock's current time.
pef
sol
tsol
isol
user
channel
session
Print session information. Get information about the specified session(s). You may
identify sessions by their id, by their handle number, by their active status, or by
using the keyword `all' to specify all sessions.
Usage:
info <active | all | id 0xnnnnnnnn | handle 0xnn>
Example:
ipmitool session all
sunoem
kontronoem
picmg
fwum
firewall
shell
exec
set
hpm
ekanalyzer
OEM Commands for Sun servers. Will not return values on McAfee SIEM
Appliances.
OEM Commands for Kontron devices Will not return values on McAfee SIEM
Appliances.
Run a PICMG/ATCA extended cmd
Update IPMC using Kontron OEM Firmware Update Manager
Configure Firmware Firewall
This command will launch an interactive shell which you can use to send multiple
ipmitool commands to a BMC and see the responses. This can be useful instead of
running the full ipmitool command each time. Some commands will make use of a
Sensor Data Record cache and you will see marked improvement in speed if these
commands are able to reuse the same cache in a shell session. LAN sessions will
send a periodic keep alive command to keep the IPMI session from timing out.
Run list of commands from file
McAfee SIEM
Unspecified
3
9
12
15
18
21
24
27
30
33
36
39
42
45
48
51
192
241
Processor
Other
System Board
Processor Module
10
Drive Backplane
16
Power Management
Sub-Chassis
Peripheral Bay
Cooling Unit
System Management
Software
System Bus
External Environment
Connectivity Switch
Processor/IO Module
PCI Bus
SATA/SAS Bus
13
19
22
25
28
31
34
37
40
43
46
49
52
193
242
Unknown
Memory Module
11
14
Power Unit
20
26
Cable/Interconnect
32
Group
38
Processor/Memory Module
44
Battery
Management Controller
Firmware
PCI Express Bus
Processor/Front-Side Bus
17
23
29
35
41
47
50
160
240
243
Peripheral Bay
Add-in Card
System Chassis
Disk Drive Bay
Fan Device
Memory Device
Operating System
IPMI Channel
If there are a number of the same entities, you will get a decimal version of entity ID. For instance,
Fan Device may display as:
2a |FM5/F0/TACH | 76h | ok | 29.5 | 5300 RPM
60
McAfee SIEM
Temperature
Voltage
Processor
Power Supply
Current
Physical Security
Power Unit
Other
System Firmware
Watchdog
Critical Interrupt
Module / Board
Add-in Card
Chip Set
Cable / Interconnect
Slot / Connector
Watchdog
Entity Presence
LAN
Battery
Version Change
Fan
Platform Security
Cooling Device
Memory
Microcontroller
Chassis
Other FRU
Terminator
Boot Error
OS Critical Stop
For a complete list of the BMC Core Sensors and possible return codes (offset triggers) please see
Table 61 in the Intel Server Board S2600GZ / GL Technical Product Specification Guide.
http://www.intel.com/support/motherboards/server/sb/CS-033134.htm
61