1ipmiseld(8) ipmiseld ipmiseld(8)
2
6 ipmiseld - IPMI SEL logging daemon
7
9 ipmiseld [OPTION...]
10
12 The ipmiseld daemon polls the system event log (SEL) of specified hosts
13 and stores the logs into the local syslog. By default, the daemon can
14 also make best efforts to manage the remote SEL's buffer to ensure
15 events are never lost. Recent logging data will be cached to disk to
16 ensure that SEL events are not missed in the event the client or server
17 is rebooted.
18 Many of the options for this daemon are very similar to the ipmi-sel(8)
20 tool. It can be configured to log the local host, a remote host, or a
21 range of hosts to the local syslog. It can be configured via the com‐
22 mand line arguments listed below or via the /etc//ipmiseld.conf config‐
23 uration file.
24 Listed below are general IPMI options, tool specific options, trouble
26 shooting information, workaround information, examples, and known
27 issues. For a general introduction to FreeIPMI please see freeipmi(7).
28
30 The following options are general options for configuring IPMI communi‐
31 cation and executing general tool commands.
32 -D IPMIDRIVER, --driver-type=IPMIDRIVER
34 Specify the driver type to use instead of doing an auto selec‐
35 tion. The currently available outofband drivers are LAN and
36 LAN_2_0, which perform IPMI 1.5 and IPMI 2.0 respectively. The
37 currently available inband drivers are KCS, SSIF, OPENIPMI, and
38 SUNBMC.
39 --disable-auto-probe
41 Do not probe in-band IPMI devices for default settings.
42 --driver-address=DRIVER-ADDRESS
44 Specify the in-band driver address to be used instead of the
45 probed value. DRIVER-ADDRESS should be prefixed with "0x" for a
46 hex value and '0' for an octal value.
47 --driver-device=DEVICE
49 Specify the in-band driver device path to be used instead of the
50 probed path.
51 --register-spacing=REGISTER-SPACING
53 Specify the in-band driver register spacing instead of the
54 probed value. Argument is in bytes (i.e. 32bit register spacing
55 = 4)
56 --target-channel-number=CHANNEL-NUMBER
58 Specify the in-band driver target channel number to send IPMI
59 requests to.
60 --target-slave-address=SLAVE-ADDRESS
62 Specify the in-band driver target slave number to send IPMI
63 requests to.
64 -h IPMIHOST1,IPMIHOST2,..., --hostname=IPMIHOST1[:PORT],IPMI‐
66 HOST2[:PORT],...
67 Specify the remote host(s) to communicate with. Multiple host‐
68 names may be separated by comma or may be specified in a range
69 format; see HOSTRANGED SUPPORT below. An optional port can be
70 specified with each host, which may be useful in port forwarding
71 or similar situations.
72 -u USERNAME, --username=USERNAME
74 Specify the username to use when authenticating with the remote
75 host. If not specified, a null (i.e. anonymous) username is
76 assumed. The user must have atleast USER privileges in order for
77 this tool to operate fully.
78 -p PASSWORD, --password=PASSWORD
80 Specify the password to use when authenticationg with the remote
81 host. If not specified, a null password is assumed. Maximum
82 password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
83 -P, --password-prompt
85 Prompt for password to avoid possibility of listing it in
86 process lists.
87 -k K_G, --k-g=K_G
89 Specify the K_g BMC key to use when authenticating with the
90 remote host for IPMI 2.0. If not specified, a null key is
91 assumed. To input the key in hexadecimal form, prefix the string
92 with '0x'. E.g., the key 'abc' can be entered with the either
93 the string 'abc' or the string '0x616263'
94 -K, --k-g-prompt
96 Prompt for k-g to avoid possibility of listing it in process
97 lists.
98 --session-timeout=MILLISECONDS
100 Specify the session timeout in milliseconds. Defaults to 20000
101 milliseconds (20 seconds) if not specified.
102 --retransmission-timeout=MILLISECONDS
104 Specify the packet retransmission timeout in milliseconds.
105 Defaults to 1000 milliseconds (1 second) if not specified. The
106 retransmission timeout cannot be larger than the session time‐
107 out.
108 -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
110 Specify the IPMI 1.5 authentication type to use. The currently
111 available authentication types are NONE, STRAIGHT_PASSWORD_KEY,
112 MD2, and MD5. Defaults to MD5 if not specified.
113 -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
115 Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
116 identifies a set of authentication, integrity, and confidential‐
117 ity algorithms to use for IPMI 2.0 communication. The authenti‐
118 cation algorithm identifies the algorithm to use for session
119 setup, the integrity algorithm identifies the algorithm to use
120 for session packet signatures, and the confidentiality algorithm
121 identifies the algorithm to use for payload encryption. Defaults
122 to cipher suite ID 3 if not specified. The following cipher
123 suite ids are currently supported:
124 0 - Authentication Algorithm = None; Integrity Algorithm = None;
126 Confidentiality Algorithm = None
127 1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
129 None; Confidentiality Algorithm = None
130 2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
132 HMAC-SHA1-96; Confidentiality Algorithm = None
133 3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
135 HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
136 6 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
138 None; Confidentiality Algorithm = None
139 7 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
141 HMAC-MD5-128; Confidentiality Algorithm = None
142 8 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
144 HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
145 11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
147 MD5-128; Confidentiality Algorithm = None
148 12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
150 MD5-128; Confidentiality Algorithm = AES-CBC-128
151 15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
153 = None; Confidentiality Algorithm = None
154 16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
156 = HMAC_SHA256_128; Confidentiality Algorithm = None
157 17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
159 = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
160 -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
162 Specify the privilege level to be used. The currently available
163 privilege levels are USER, OPERATOR, and ADMIN. Defaults to
164 OPERATOR if not specified.
165 --config-file=FILE
167 Specify an alternate configuration file.
168 -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
170 Specify workarounds to vendor compliance issues. Multiple work‐
171 arounds can be specified separated by commas. A special command
172 line flag of "none", will indicate no workarounds (may be useful
173 for overriding configured defaults). See WORKAROUNDS below for a
174 list of available workarounds.
175 --debug
177 Turn on debugging.
178 -?, --help
180 Output a help list and exit.
181 --usage
183 Output a usage message and exit.
184 -V, --version
186 Output the program version and exit.
187
189 The following options are specific to Ipmiseld.
190 -v Log verbose information. This option will log additional infor‐
192 mation. Most notably it will output additional hex codes to
193 given information on ambiguous SEL entries or SEL records. For
194 example, it will output Generator ID hex codes for sensors with‐
195 out names. Additional non-critical SEL errors or issues will
196 also be logged. Somewhat common errors, such as timeouts or
197 invalid hostnames, will output with increased verbosity.
198 -t SENSOR-TYPE-LIST, --sensor-types=SENSOR-TYPE-LIST
200 Specify sensor types of SEL events to log. By default, all sen‐
201 sor types are logged. A special command line type of "all", will
202 indicate all types should be shown (may be useful for overriding
203 configured defaults). Multiple types can be separated by commas
204 or spaces. Users may specify sensor types by string (see
205 --list-sensor-types in ipmi-sel(8)) or by number (decimal or
206 hex).
207 -T SENSOR-TYPE-LIST, --exclude-sensor-types=SENSOR-TYPE-LIST
209 Specify sensor types of SEL events to not log. By default, no
210 sensor types are filtered. A special command line type of
211 "none", will indicate no types should be excluded (may be useful
212 for overriding configured defaults). Multiple types can be sepa‐
213 rated by commas or spaces. Users may specify sensor types by
214 string (see --list-sensor-types in ipmi-sel(8)) or by number
215 (decimal or hex).
216 --system-event-only
218 Log only system event records (i.e. don't log OEM records).
219 --oem-event-only
221 Log only OEM event records (i.e. don't log system event
222 records).
223 --event-state-config-file=FILE
225 Specify an alternate event state configuration file.
226 --interpret-oem-data
228 Attempt to interpret OEM data, such as event data, sensor read‐
229 ings, or general extra info, etc. If an OEM interpretation is
230 not available, the default output will be generated. Correctness
231 of OEM interpretations cannot be guaranteed due to potential
232 changes OEM vendors may make in products, firmware, etc. See OEM
233 INTERPRETATION below for confirmed supported motherboard inter‐
234 pretations.
235 --entity-sensor-names
237 Output sensor names prefixed with their entity id and instance
238 number when appropriate. This may be necessary on some mother‐
239 boards to help identify what sensors are referencing. For exam‐
240 ple, a motherboard may have multiple sensors named 'TEMP'. The
241 entity id and instance number may help clarify which sensor
242 refers to "Processor 1" vs. "Processor 2".
243 --non-abbreviated-units
245 Output non-abbreviated units (e.g. 'Amps' instead of 'A'). May
246 aid in disambiguation of units (e.g. 'C' for Celsius or
247 Coulombs).
248 --event-state-filter=FILTERSTRING
250 Specify event states to be filtered out and not logged. Possible
251 inputs are NOMINAL, WARNING, CRITICAL, and NA. Multiple states
252 can be listed separted by comma. The special case string of
253 "none" will indicate no event states should be excluded (may be
254 useful for overriding configured defaults).
255 --warning-threshold=PERCENTINT
257 Specify SEL fullness warning threshold as an integer percentage.
258 When the SEL is past this percentage full, a warning will be
259 output indicating that SEL is nearly full. Specify 0 to disable
260 warning logs. Defaults to 80.
261 --clear-threshold=PERCENTINT
263 Specify SEL fullness clear threshold as an integer percentage.
264 When the SEL is past this percentage full, ipmiseld will attempt
265 to clear the SEL. Specify 0 to disable clearing. When the SEL is
266 full, it will be the responsibility of the user to clear the SEL
267 manually if clearing is disabled. Defaults to 0. If specified to
268 a non-zero value, be careful that the clearing of the SEL could
269 affect other applications that monitor the SEL, such as monitor‐
270 ing applications that use ipmi-sel(8) or libipmimonitoring(3).
271 --system-event-format=FORMATSTRING
273 Specify the format of the log output when a SEL system event is
274 encountered. Defaults to "SEL System Event: %d, %t, %s, %I, %E"
275 if logging locally, "SEL System Event(%h): %d, %t, %s, %I, %E"
276 if logging outofband or with hostranges. See SEL LOG FORMAT
277 STRING below for formatting details.
278 --oem-timestamped-event-format=FORMATSTRING
280 Specify the format of the log output when a SEL OEM timestamped
281 event is encountered. Defaults to "SEL OEM Event: %d, %t, %I,
282 %o" if logging locally, "SEL OEM Event(%h): %d, %t, %I, %o" if
283 logging outofband or with hostranges.. See SEL LOG FORMAT STRING
284 below for formatting details.
285 --oem-non-timestamped-event-format=FORMATSTRING
287 Specify the format of the log output when a SEL OEM non-times‐
288 tamped event is encountered. Defaults to "SEL OEM Event: %I, %o"
289 if logging locally, "SEL OEM Event(%h): %I, %o" if logging out‐
290 ofband or with hostranges.. See SEL LOG FORMAT STRING below for
291 formatting details.
292 --poll-interval=SECONDS
294 Specify the poll interval to check the SEL for new events.
295 Defaults to 300 seconds (i.e. 5 minutes).
296 --log-facility=STRING
298 Specify the log facility to use. Defaults to LOG_DAEMON. Legal
299 inputs are LOG_DAEMON, LOG_USER, LOG_LOCAL0, LOG_LOCAL1,
300 LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6,
301 LOG_LOCAL7.
302 --log-priority=STRING
304 Specify the log priority to use. Defaults to LOG_ERR. Legal
305 inputs are LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING,
306 LOG_NOTICE, LOG_INFO, LOG_DEBUG.
307 --cache-directory=DIRECTORY
309 Specify an alternate cache directory location for ipmiseld to
310 use. The cache directory will be used to cache a wide variety of
311 data, including the SDR and recent logging information to ensure
312 log entries are not missed on reboots and other system failures.
313 --ignore-sdr
315 Ignore SDR related processing. May lead to incomplete or less
316 useful information being output, however it will allow function‐
317 ality for systems without SDRs or when the correct SDR cannot be
318 loaded.
319 --re-download-sdr
321 Re-download the SDR on start even if it is not out of date. This
322 may help work around systems that do not properly timestamp SDR
323 modification times.
324 --clear-sel
326 On startup, clear any SEL being monitored. May be useful the
327 first time running ipmiseld to avoid warning messages or SEL
328 clears until a long time in the future.
329 --threadpool-count=NUM
331 Specify the number of threads for parallel SEL polling. This
332 option is very similar to the --fanout option in ipmi-sel(8) but
333 the threads are created only once on initialization for faster
334 processing. Defaults to 8, however the threadpool count will
335 always be decreased if the number of nodes specified is less
336 than the number of threads.
337 --test-run
339 Do not daemonize, output the current SEL of configured hosts as
340 a test of current settings and configuration.
341 --foreground
343 Run daemon in the foreground.
344
346 The output format of log messages can be adjusted via the --sys‐
347 tem-event-format, --oem-timestamped-event-format and --oem-non-times‐
348 tamped-event-format options. Options such as --interpret-oem-data,
349 --entity-sensor-names, and --non-abbreviated-units can further adjust
350 the output format. The following conversion directives will allow the
351 user to output specifics of each SEL event that occurs.
352 For System, OEM timestamped, and OEM non-timestamped events
354 %h - target host, useful if logging from multiple hosts
356 %i - record ID in decimal
358 %I - event state interpretation (NOMINAL, WARNING, or CRITICAL)
360 For System and OEM timestamped events
362 %t - time in format H:M:S using 24 hour clock
364 %d - date in format D-M-YEAR
366 For System events
368 %T - sensor type
370 %s - sensor name
372 %e - event data 1 string
374 %f - event data 2 string [2]
376 %h - event data 3 string
378 %c - combined event data 2 and event data 3 string
380 %p - event data 2 previous state string
382 %S - event data 2 severity string
384 %E - combined event data 1, 2, and 3 string
386 %k - event direction
388 For OEM timestamped events
390 %m - manufacturer id
392 For OEM timestamped and OEM non-timestamped events
394 %o - oem data in hex
396 %O - OEM supplied string describing the event (depends on manufacturer)
398
400 Multiple hosts can be input either as an explicit comma separated lists
401 of hosts or a range of hostnames in the general form: prefix[n-m,l-
402 k,...], where n < m and l < k, etc. The later form should not be con‐
403 fused with regular expression character classes (also denoted by []).
404 For example, foo[19] does not represent foo1 or foo9, but rather repre‐
405 sents a degenerate range: foo19.
406 This range syntax is meant only as a convenience on clusters with a
408 prefixNN naming convention and specification of ranges should not be
409 considered necessary -- the list foo1,foo9 could be specified as such,
410 or by the range foo[1,9].
411 Some examples of range usage follow:
413 foo[01-05] instead of foo01,foo02,foo03,foo04,foo05
414 foo[7,9-10] instead of foo7,foo9,foo10
415 foo[0-3] instead of foo0,foo1,foo2,foo3
416 As a reminder to the reader, some shells will interpret brackets ([ and
418 ]) for pattern matching. Depending on your shell, it may be necessary
419 to enclose ranged lists within quotes.
420 In-band IPMI Communication will be used when the host "localhost" is
422 specified. This allows the user to add the localhost into the hos‐
423 tranged output.
424
426 Most often, IPMI problems are due to configuration problems.
427 IPMI over LAN problems involve a misconfiguration of the remote
429 machine's BMC. Double check to make sure the following are configured
430 properly in the remote machine's BMC: IP address, MAC address, subnet
431 mask, username, user enablement, user privilege, password, LAN privi‐
432 lege, LAN enablement, and allowed authentication type(s). For IPMI 2.0
433 connections, double check to make sure the cipher suite privilege(s)
434 and K_g key are configured properly. The bmc-config(8) tool can be used
435 to check and/or change these configuration settings.
436 Inband IPMI problems are typically caused by improperly configured
438 drivers or non-standard BMCs.
439 In addition to the troubleshooting tips below, please see WORKAROUNDS
441 below to also if there are any vendor specific bugs that have been dis‐
442 covered and worked around.
443 Listed below are many of the common issues for error messages. For
445 additional support, please e-mail the <freeipmi-users@gnu.org> mailing
446 list.
447 "username invalid" - The username entered (or a NULL username if none
449 was entered) is not available on the remote machine. It may also be
450 possible the remote BMC's username configuration is incorrect.
451 "password invalid" - The password entered (or a NULL password if none
453 was entered) is not correct. It may also be possible the password for
454 the user is not correctly configured on the remote BMC.
455 "password verification timeout" - Password verification has timed out.
457 A "password invalid" error (described above) or a generic "session
458 timeout" (described below) occurred. During this point in the protocol
459 it cannot be differentiated which occurred.
460 "k_g invalid" - The K_g key entered (or a NULL K_g key if none was
462 entered) is not correct. It may also be possible the K_g key is not
463 correctly configured on the remote BMC.
464 "privilege level insufficient" - An IPMI command requires a higher user
466 privilege than the one authenticated with. Please try to authenticate
467 with a higher privilege. This may require authenticating to a different
468 user which has a higher maximum privilege.
469 "privilege level cannot be obtained for this user" - The privilege
471 level you are attempting to authenticate with is higher than the maxi‐
472 mum allowed for this user. Please try again with a lower privilege. It
473 may also be possible the maximum privilege level allowed for a user is
474 not configured properly on the remote BMC.
475 "authentication type unavailable for attempted privilege level" - The
477 authentication type you wish to authenticate with is not available for
478 this privilege level. Please try again with an alternate authentication
479 type or alternate privilege level. It may also be possible the avail‐
480 able authentication types you can authenticate with are not correctly
481 configured on the remote BMC.
482 "cipher suite id unavailable" - The cipher suite id you wish to authen‐
484 ticate with is not available on the remote BMC. Please try again with
485 an alternate cipher suite id. It may also be possible the available
486 cipher suite ids are not correctly configured on the remote BMC.
487 "ipmi 2.0 unavailable" - IPMI 2.0 was not discovered on the remote
489 machine. Please try to use IPMI 1.5 instead.
490 "connection timeout" - Initial IPMI communication failed. A number of
492 potential errors are possible, including an invalid hostname specified,
493 an IPMI IP address cannot be resolved, IPMI is not enabled on the
494 remote server, the network connection is bad, etc. Please verify con‐
495 figuration and connectivity.
496 "session timeout" - The IPMI session has timed out. Please reconnect.
498 If this error occurs often, you may wish to increase the retransmission
499 timeout. Some remote BMCs are considerably slower than others.
500 "device not found" - The specified device could not be found. Please
502 check configuration or inputs and try again.
503 "driver timeout" - Communication with the driver or device has timed
505 out. Please try again.
506 "message timeout" - Communication with the driver or device has timed
508 out. Please try again.
509 "BMC busy" - The BMC is currently busy. It may be processing informa‐
511 tion or have too many simultaneous sessions to manage. Please wait and
512 try again.
513 "could not find inband device" - An inband device could not be found.
515 Please check configuration or specify specific device or driver on the
516 command line.
517 "driver timeout" - The inband driver has timed out communicating to the
519 local BMC or service processor. The BMC or service processor may be
520 busy or (worst case) possibly non-functioning.
521
523 Some timestamps in the SEL may report a date of 1-Jan-1970, the epoch
524 for SEL timestamps. This timestamp is not necessarily incorrect. It
525 usually indicates a hardware event that occurred before a timestamp in
526 firmware has been initialized. For example, certain hardware components
527 will have their internal clocks reset during a power cycle.
528 However, if the internal clock of the SEL appears to be regularly
530 incorrect, you may need to set the SEL time. This can be done using
531 bmc-device(8).
532 The following are common SEL related messages.
534 "sel config file parse error" - A parse error was found in the sel
536 event interpretation configuration file. Please see freeipmi_inter‐
537 pret_sel.conf(5).
538
540 With so many different vendors implementing their own IPMI solutions,
541 different vendors may implement their IPMI protocols incorrectly. The
542 following describes a number of workarounds currently available to han‐
543 dle discovered compliance issues. When possible, workarounds have been
544 implemented so they will be transparent to the user. However, some will
545 require the user to specify a workaround be used via the -W option.
546 The hardware listed below may only indicate the hardware that a problem
548 was discovered on. Newer versions of hardware may fix the problems
549 indicated below. Similar machines from vendors may or may not exhibit
550 the same problems. Different vendors may license their firmware from
551 the same IPMI firmware developer, so it may be worthwhile to try work‐
552 arounds listed below even if your motherboard is not listed.
553 If you believe your hardware has an additional compliance issue that
555 needs a workaround to be implemented, please contact the FreeIPMI main‐
556 tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
557 assumeio - This workaround flag will assume inband interfaces communi‐
559 cate with system I/O rather than being memory-mapped. This will work
560 around systems that report invalid base addresses. Those hitting this
561 issue may see "device not supported" or "could not find inband device"
562 errors. Issue observed on HP ProLiant DL145 G1.
563 spinpoll - This workaround flag will inform some inband drivers (most
565 notably the KCS driver) to spin while polling rather than putting the
566 process to sleep. This may significantly improve the wall clock running
567 time of tools because an operating system scheduler's granularity may
568 be much larger than the time it takes to perform a single IPMI message
569 transaction. However, by spinning, your system may be performing less
570 useful work by not contexting out the tool for a more useful task.
571 authcap - This workaround flag will skip early checks for username
573 capabilities, authentication capabilities, and K_g support and allow
574 IPMI authentication to succeed. It works around multiple issues in
575 which the remote system does not properly report username capabilities,
576 authentication capabilities, or K_g status. Those hitting this issue
577 may see "username invalid", "authentication type unavailable for
578 attempted privilege level", or "k_g invalid" errors. Issue observed on
579 Asus P5M2/P5MT-R/RS162-E4/RX4, Intel SR1520ML/X38ML, and Sun Fire
580 2200/4150/4450 with ELOM.
581 idzero - This workaround flag will allow empty session IDs to be
583 accepted by the client. It works around IPMI sessions that report empty
584 session IDs to the client. Those hitting this issue may see "session
585 timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
586 unexpectedauth - This workaround flag will allow unexpected non-null
588 authcodes to be checked as though they were expected. It works around
589 an issue when packets contain non-null authentication data when they
590 should be null due to disabled per-message authentication. Those hit‐
591 ting this issue may see "session timeout" errors. Issue observed on
592 Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
593 forcepermsg - This workaround flag will force per-message authentica‐
595 tion to be used no matter what is advertised by the remote system. It
596 works around an issue when per-message authentication is advertised as
597 disabled on the remote system, but it is actually required for the pro‐
598 tocol. Those hitting this issue may see "session timeout" errors.
599 Issue observed on IBM eServer 325.
600 endianseq - This workaround flag will flip the endian of the session
602 sequence numbers to allow the session to continue properly. It works
603 around IPMI 1.5 session sequence numbers that are the wrong endian.
604 Those hitting this issue may see "session timeout" errors. Issue
605 observed on some Sun ILOM 1.0/2.0 (depends on service processor
606 endian).
607 noauthcodecheck - This workaround flag will tell FreeIPMI to not check
609 the authentication codes returned from IPMI 1.5 command responses. It
610 works around systems to return invalid authentication codes due to
611 hashing or implementation errors. Users are cautioned on the use of
612 this option, as it removes an authentication check verifying the valid‐
613 ity of a packet. However, in most organizations, this is unlikely to be
614 a security issue. Those hitting this issue may see "connection time‐
615 out", "session timeout", or "password verification timeout" errors.
616 Issue observed on Xyratex FB-H8-SRAY.
617 intel20 - This workaround flag will work around several Intel IPMI 2.0
619 authentication issues. The issues covered include padding of usernames,
620 and password truncation if the authentication algorithm is HMAC-
621 MD5-128. Those hitting this issue may see "username invalid", "password
622 invalid", or "k_g invalid" errors. Issue observed on Intel SE7520AF2
623 with Intel Server Management Module (Professional Edition).
624 supermicro20 - This workaround flag will work around several Supermicro
626 IPMI 2.0 authentication issues on motherboards w/ Peppercon IPMI
627 firmware. The issues covered include handling invalid length authenti‐
628 cation codes. Those hitting this issue may see "password invalid"
629 errors. Issue observed on Supermicro H8QME with SIMSO daughter card.
630 Confirmed fixed on newerver firmware.
631 sun20 - This workaround flag will work work around several Sun IPMI 2.0
633 authentication issues. The issues covered include invalid lengthed hash
634 keys, improperly hashed keys, and invalid cipher suite records. Those
635 hitting this issue may see "password invalid" or "bmc error" errors.
636 Issue observed on Sun Fire 4100/4200/4500 with ILOM. This workaround
637 automatically includes the "opensesspriv" workaround.
638 opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
640 2.0 connection protocol to workaround an invalid hashing algorithm used
641 by the remote system. The privilege level sent during the Open Session
642 stage of an IPMI 2.0 connection is used for hashing keys instead of the
643 privilege level sent during the RAKP1 connection stage. Those hitting
644 this issue may see "password invalid", "k_g invalid", or "bad rmcpplus
645 status code" errors. Issue observed on Sun Fire 4100/4200/4500 with
646 ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
647 Intel S5500WBV/Penguin Relion 700, Intel S2600JF/Appro 512X, and Quanta
648 QSSC-S4R//Appro GB812X-CN. This workaround is automatically triggered
649 with the "sun20" workaround.
650 integritycheckvalue - This workaround flag will work around an invalid
652 integrity check value during an IPMI 2.0 session establishment when
653 using Cipher Suite ID 0. The integrity check value should be 0 length,
654 however the remote motherboard responds with a non-empty field. Those
655 hitting this issue may see "k_g invalid" errors. Issue observed on
656 Supermicro X8DTG, Supermicro X8DTU, and Intel S5500WBV/Penguin Relion
657 700, and Intel S2600JF/Appro 512X.
658 assumesystemevent - This workaround option will assume invalid SEL
660 record types are system event records. Records may be formatted cor‐
661 rectly but report invalid record types. Those hitting this issue may
662 see "Unknown SEL Record Type" errors. Output may be unknown, pray for
663 the best. This option is confirmed to work around compliances issues on
664 HP DL 380 G5 motherboards.
665 No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
667 found to not support IPMI 1.5. Those hitting this issue may see "ipmi
668 2.0 unavailable" or "connection timeout" errors. This issue can be
669 worked around by using IPMI 2.0 instead of IPMI 1.5 by specifying
670 --driver-address=LAN_2_0. Issue observed on HP Proliant DL 145.
671
673 The following motherboards are confirmed to have atleast some support
674 by the --interpret-oem-data option. While highly probable the OEM data
675 interpretations would work across other motherboards by the same manu‐
676 facturer, there are no guarantees. Some of the motherboards below may
677 be rebranded by vendors/distributors.
678 Dell Poweredge 2900, Dell Poweredge 2950, Dell Poweredge R610, Dell
680 Poweredge R710, Fujitsu iRMC S1 and iRMC S2 systems, Intel S5500WB/Pen‐
681 guin Computing Relion 700, Intel S2600JF/Appro 512X, Intel S5000PAL,
682 Inventec 5441/Dell Xanadu II, Inventec 5442/Dell Xanadu III, Quanta
683 S99Q/Dell FS12-TY, Quanta QSSC-S4R/Approp GB812X-CN, Sun X4140 Supermi‐
684 cro X7DBR-3, Supermicro X7DB8, Supermicro X8DTN, Supermicro X7SBI-LN4,
685 Supermicro X8DTH, Supermicro X8DTG, Supermicro X8DTU, Supermicro
686 X8DT3-LN4F, Supermicro X8DTU-6+, Supermicro X8DTL, Supermicro X8DTL-3F,
687 Supermicro X8SIL-F, Supermicro X9SCL, Supermicro X9SCM, Supermicro
688 X8DTN+-F, Supermicro X8SIE, Supermicro X9SCA-F-O, Supermicro H8DGU-F,
689 Supermicro X9DRi-F.
690
692 On older operating systems, if you input your username, password, and
693 other potentially security relevant information on the command line,
694 this information may be discovered by other users when using tools like
695 the ps(1) command or looking in the /proc file system. It is generally
696 more secure to input password information with options like the -P or
697 -K options. Configuring security relevant information in the FreeIPMI
698 configuration file would also be an appropriate way to hide this infor‐
699 mation.
700 In order to prevent brute force attacks, some BMCs will temporarily
702 "lock up" after a number of remote authentication errors. You may need
703 to wait awhile in order to this temporary "lock up" to pass before you
704 may authenticate again.
705
707 /etc//ipmiseld.conf /var/cache/ipmiseld/
708
710 Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
711
713 Copyright (C) 2012 Lawrence Livermore National Security, LLC.
714 This program is free software; you can redistribute it and/or modify it
716 under the terms of the GNU General Public License as published by the
717 Free Software Foundation; either version 3 of the License, or (at your
718 option) any later version.
719
721 freeipmi(7), ipmi-sel(8), ipmiseld.conf(5), bmc-config(8), bmc-
722 device(8), freeipmi_interpret_sel.conf(5)
723 http://www.gnu.org/software/freeipmi/
725ipmiseld 1.2.1 2017-03-22 ipmiseld(8)