1ipmiseld(8) ipmiseld ipmiseld(8)
2
6 ipmiseld - IPMI SEL logging daemon
7
9 ipmiseld [OPTION...]
10
12 The ipmiseld daemon polls the system event log (SEL) of specified hosts
13 and stores the logs into the local syslog. By default, the daemon can
14 also make best efforts to manage the remote SEL's buffer to ensure
15 events are never lost. Recent logging data will be cached to disk to
16 ensure that SEL events are not missed in the event the client or server
17 is rebooted.
18 Many of the options for this daemon are very similar to the ipmi-sel(8)
20 tool. It can be configured to log the local host, a remote host, or a
21 range of hosts to the local syslog. It can be configured via the com‐
22 mand line arguments listed below or via the
23 /etc/freeipmi//ipmiseld.conf configuration file.
24 Listed below are general IPMI options, tool specific options, trouble
26 shooting information, workaround information, examples, and known
27 issues. For a general introduction to FreeIPMI please see freeipmi(7).
28
30 The following options are general options for configuring IPMI communi‐
31 cation and executing general tool commands.
32 -D IPMIDRIVER, --driver-type=IPMIDRIVER
34 Specify the driver type to use instead of doing an auto selec‐
35 tion. The currently available outofband drivers are LAN and
36 LAN_2_0, which perform IPMI 1.5 and IPMI 2.0 respectively. The
37 currently available inband drivers are KCS, SSIF, OPENIPMI,
38 SUNBMC, and INTELDCMI.
39 --disable-auto-probe
41 Do not probe in-band IPMI devices for default settings.
42 --driver-address=DRIVER-ADDRESS
44 Specify the in-band driver address to be used instead of the
45 probed value. DRIVER-ADDRESS should be prefixed with "0x" for a
46 hex value and '0' for an octal value.
47 --driver-device=DEVICE
49 Specify the in-band driver device path to be used instead of the
50 probed path.
51 --register-spacing=REGISTER-SPACING
53 Specify the in-band driver register spacing instead of the
54 probed value. Argument is in bytes (i.e. 32bit register spacing
55 = 4)
56 --target-channel-number=CHANNEL-NUMBER
58 Specify the in-band driver target channel number to send IPMI
59 requests to.
60 --target-slave-address=SLAVE-ADDRESS
62 Specify the in-band driver target slave number to send IPMI
63 requests to.
64 -h IPMIHOST1,IPMIHOST2,..., --hostname=IPMIHOST1[:PORT],IPMI‐
66 HOST2[:PORT],...
67 Specify the remote host(s) to communicate with. Multiple host‐
68 names may be separated by comma or may be specified in a range
69 format; see HOSTRANGED SUPPORT below. An optional port can be
70 specified with each host, which may be useful in port forwarding
71 or similar situations. If specifying an IPv6 address and port,
72 use the format [ADDRESS]:PORT.
73 -u USERNAME, --username=USERNAME
75 Specify the username to use when authenticating with the remote
76 host. If not specified, a null (i.e. anonymous) username is
77 assumed. The user must have atleast USER privileges in order for
78 this tool to operate fully.
79 -p PASSWORD, --password=PASSWORD
81 Specify the password to use when authenticationg with the remote
82 host. If not specified, a null password is assumed. Maximum
83 password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
84 -P, --password-prompt
86 Prompt for password to avoid possibility of listing it in
87 process lists.
88 -k K_G, --k-g=K_G
90 Specify the K_g BMC key to use when authenticating with the
91 remote host for IPMI 2.0. If not specified, a null key is
92 assumed. To input the key in hexadecimal form, prefix the string
93 with '0x'. E.g., the key 'abc' can be entered with the either
94 the string 'abc' or the string '0x616263'
95 -K, --k-g-prompt
97 Prompt for k-g to avoid possibility of listing it in process
98 lists.
99 --session-timeout=MILLISECONDS
101 Specify the session timeout in milliseconds. Defaults to 20000
102 milliseconds (20 seconds) if not specified.
103 --retransmission-timeout=MILLISECONDS
105 Specify the packet retransmission timeout in milliseconds.
106 Defaults to 1000 milliseconds (1 second) if not specified. The
107 retransmission timeout cannot be larger than the session time‐
108 out.
109 -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
111 Specify the IPMI 1.5 authentication type to use. The currently
112 available authentication types are NONE, STRAIGHT_PASSWORD_KEY,
113 MD2, and MD5. Defaults to MD5 if not specified.
114 -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
116 Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
117 identifies a set of authentication, integrity, and confidential‐
118 ity algorithms to use for IPMI 2.0 communication. The authenti‐
119 cation algorithm identifies the algorithm to use for session
120 setup, the integrity algorithm identifies the algorithm to use
121 for session packet signatures, and the confidentiality algorithm
122 identifies the algorithm to use for payload encryption. Defaults
123 to cipher suite ID 3 if not specified. The following cipher
124 suite ids are currently supported:
125 0 - Authentication Algorithm = None; Integrity Algorithm = None;
127 Confidentiality Algorithm = None
128 1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
130 None; Confidentiality Algorithm = None
131 2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
133 HMAC-SHA1-96; Confidentiality Algorithm = None
134 3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
136 HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
137 6 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
139 None; Confidentiality Algorithm = None
140 7 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
142 HMAC-MD5-128; Confidentiality Algorithm = None
143 8 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
145 HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
146 11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
148 MD5-128; Confidentiality Algorithm = None
149 12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
151 MD5-128; Confidentiality Algorithm = AES-CBC-128
152 15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
154 = None; Confidentiality Algorithm = None
155 16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
157 = HMAC_SHA256_128; Confidentiality Algorithm = None
158 17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
160 = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
161 -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
163 Specify the privilege level to be used. The currently available
164 privilege levels are USER, OPERATOR, and ADMIN. Defaults to
165 OPERATOR if not specified.
166 --config-file=FILE
168 Specify an alternate configuration file.
169 -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
171 Specify workarounds to vendor compliance issues. Multiple work‐
172 arounds can be specified separated by commas. A special command
173 line flag of "none", will indicate no workarounds (may be useful
174 for overriding configured defaults). See WORKAROUNDS below for a
175 list of available workarounds.
176 --debug
178 Turn on debugging.
179 -?, --help
181 Output a help list and exit.
182 --usage
184 Output a usage message and exit.
185 -V, --version
187 Output the program version and exit.
188
190 The following options are specific to ipmiseld.
191 -v Log verbose information. This option will log additional infor‐
193 mation. Most notably it will output additional hex codes to
194 given information on ambiguous SEL entries or SEL records. For
195 example, it will output Generator ID hex codes for sensors with‐
196 out names. Additional non-critical SEL errors or issues will
197 also be logged. Somewhat common errors, such as timeouts or
198 invalid hostnames, will output with increased verbosity.
199 -t SENSOR-TYPE-LIST, --sensor-types=SENSOR-TYPE-LIST
201 Specify sensor types of SEL events to log. By default, all sen‐
202 sor types are logged. A special command line type of "all", will
203 indicate all types should be shown (may be useful for overriding
204 configured defaults). Multiple types can be separated by commas
205 or spaces. Users may specify sensor types by string (see
206 --list-sensor-types in ipmi-sel(8)) or by number (decimal or
207 hex).
208 -T SENSOR-TYPE-LIST, --exclude-sensor-types=SENSOR-TYPE-LIST
210 Specify sensor types of SEL events to not log. By default, no
211 sensor types are filtered. A special command line type of
212 "none", will indicate no types should be excluded (may be useful
213 for overriding configured defaults). Multiple types can be sepa‐
214 rated by commas or spaces. Users may specify sensor types by
215 string (see --list-sensor-types in ipmi-sel(8)) or by number
216 (decimal or hex).
217 --system-event-only
219 Log only system event records (i.e. don't log OEM records).
220 --oem-event-only
222 Log only OEM event records (i.e. don't log system event
223 records).
224 --event-state-config-file=FILE
226 Specify an alternate event state configuration file.
227 --interpret-oem-data
229 Attempt to interpret OEM data, such as event data, sensor read‐
230 ings, or general extra info, etc. If an OEM interpretation is
231 not available, the default output will be generated. Correctness
232 of OEM interpretations cannot be guaranteed due to potential
233 changes OEM vendors may make in products, firmware, etc. See OEM
234 INTERPRETATION below for confirmed supported motherboard inter‐
235 pretations.
236 --entity-sensor-names
238 Output sensor names prefixed with their entity id and instance
239 number when appropriate. This may be necessary on some mother‐
240 boards to help identify what sensors are referencing. For exam‐
241 ple, a motherboard may have multiple sensors named 'TEMP'. The
242 entity id and instance number may help clarify which sensor
243 refers to "Processor 1" vs. "Processor 2".
244 --non-abbreviated-units
246 Output non-abbreviated units (e.g. 'Amps' instead of 'A'). May
247 aid in disambiguation of units (e.g. 'C' for Celsius or
248 Coulombs).
249 --event-state-filter=FILTERSTRING
251 Specify event states to be filtered out and not logged. Possible
252 inputs are NOMINAL, WARNING, CRITICAL, and NA. Multiple states
253 can be listed separated by comma. The special case string of
254 "none" will indicate no event states should be excluded (may be
255 useful for overriding configured defaults).
256 --warning-threshold=PERCENTINT
258 Specify SEL fullness warning threshold as an integer percentage.
259 When the SEL is past this percentage full, a warning will be
260 output indicating that SEL is nearly full. Specify 0 to disable
261 warning logs. Defaults to 80.
262 --clear-threshold=PERCENTINT
264 Specify SEL fullness clear threshold as an integer percentage.
265 When the SEL is past this percentage full, ipmiseld will attempt
266 to clear the SEL. Specify 0 to disable clearing. When the SEL is
267 full, it will be the responsibility of the user to clear the SEL
268 manually if clearing is disabled. Defaults to 0. If specified to
269 a non-zero value, be careful that the clearing of the SEL could
270 affect other applications that monitor the SEL, such as monitor‐
271 ing applications that use ipmi-sel(8) or libipmimonitoring(3).
272 --system-event-format=FORMATSTRING
274 Specify the format of the log output when a SEL system event is
275 encountered. Defaults to "SEL System Event: %d, %t, %s, %I, %E"
276 if logging locally, "SEL System Event(%h): %d, %t, %s, %I, %E"
277 if logging outofband or with hostranges. See SEL LOG FORMAT
278 STRING below for formatting details.
279 --oem-timestamped-event-format=FORMATSTRING
281 Specify the format of the log output when a SEL OEM timestamped
282 event is encountered. Defaults to "SEL OEM Event: %d, %t, %I,
283 %o" if logging locally, "SEL OEM Event(%h): %d, %t, %I, %o" if
284 logging outofband or with hostranges.. See SEL LOG FORMAT STRING
285 below for formatting details.
286 --oem-non-timestamped-event-format=FORMATSTRING
288 Specify the format of the log output when a SEL OEM non-times‐
289 tamped event is encountered. Defaults to "SEL OEM Event: %I, %o"
290 if logging locally, "SEL OEM Event(%h): %I, %o" if logging out‐
291 ofband or with hostranges.. See SEL LOG FORMAT STRING below for
292 formatting details.
293 --poll-interval=SECONDS
295 Specify the poll interval to check the SEL for new events.
296 Defaults to 300 seconds (i.e. 5 minutes).
297 --log-facility=STRING
299 Specify the log facility to use. Defaults to LOG_DAEMON. Legal
300 inputs are LOG_DAEMON, LOG_USER, LOG_LOCAL0, LOG_LOCAL1,
301 LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6,
302 LOG_LOCAL7.
303 --log-priority=STRING
305 Specify the log priority to use. Defaults to LOG_ERR. Legal
306 inputs are LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING,
307 LOG_NOTICE, LOG_INFO, LOG_DEBUG.
308 --cache-directory=DIRECTORY
310 Specify an alternate cache directory location for ipmiseld to
311 use. The cache directory will be used to cache a wide variety of
312 data, including the SDR and recent logging information to ensure
313 log entries are not missed on reboots and other system failures.
314 --ignore-sdr
316 Ignore SDR related processing. May lead to incomplete or less
317 useful information being output, however it will allow function‐
318 ality for systems without SDRs or when the correct SDR cannot be
319 loaded.
320 --re-download-sdr
322 Re-download the SDR on start even if it is not out of date. This
323 may help work around systems that do not properly timestamp SDR
324 modification times.
325 --clear-sel
327 On startup, clear any SEL being monitored. May be useful the
328 first time running ipmiseld to avoid warning messages or SEL
329 clears until a long time in the future.
330 --threadpool-count=NUM
332 Specify the number of threads for parallel SEL polling. This
333 option is very similar to the --fanout option in ipmi-sel(8) but
334 the threads are created only once on initialization for faster
335 processing. Defaults to 8, however the threadpool count will
336 always be decreased if the number of nodes specified is less
337 than the number of threads.
338 --test-run
340 Do not daemonize, output the current SEL of configured hosts as
341 a test of current settings and configuration. SEL entries will
342 be output to stdout instead of syslog.
343 --foreground
345 Run daemon in the foreground. SEL entries will be output to std‐
346 out instead of syslog.
347
349 The output format of log messages can be adjusted via the --sys‐
350 tem-event-format, --oem-timestamped-event-format and --oem-non-times‐
351 tamped-event-format options. Options such as --interpret-oem-data,
352 --entity-sensor-names, and --non-abbreviated-units can further adjust
353 the output format. The following conversion directives will allow the
354 user to output specifics of each SEL event that occurs.
355 For System, OEM timestamped, and OEM non-timestamped events
357 %h - target host, useful if logging from multiple hosts
359 %i - record ID in decimal
361 %I - event state interpretation (NOMINAL, WARNING, or CRITICAL)
363 For System and OEM timestamped events
365 %t - time in format H:M:S using 24 hour clock
367 %d - date in format D-M-YEAR
369 For System events
371 %T - sensor type
373 %s - sensor name
375 %e - event data 1 string
377 %f - event data 2 string [2]
379 %h - event data 3 string
381 %c - combined event data 2 and event data 3 string
383 %p - event data 2 previous state string
385 %S - event data 2 severity string
387 %E - combined event data 1, 2, and 3 string
389 %k - event direction
391 For OEM timestamped events
393 %m - manufacturer id
395 For OEM timestamped and OEM non-timestamped events
397 %o - oem data in hex
399 %O - OEM supplied string describing the event (depends on manufacturer)
401
403 Multiple hosts can be input either as an explicit comma separated lists
404 of hosts or a range of hostnames in the general form: prefix[n-m,l-
405 k,...], where n < m and l < k, etc. The later form should not be con‐
406 fused with regular expression character classes (also denoted by []).
407 For example, foo[19] does not represent foo1 or foo9, but rather repre‐
408 sents a degenerate range: foo19.
409 This range syntax is meant only as a convenience on clusters with a
411 prefixNN naming convention and specification of ranges should not be
412 considered necessary -- the list foo1,foo9 could be specified as such,
413 or by the range foo[1,9].
414 Some examples of range usage follow:
416 foo[01-05] instead of foo01,foo02,foo03,foo04,foo05
417 foo[7,9-10] instead of foo7,foo9,foo10
418 foo[0-3] instead of foo0,foo1,foo2,foo3
419 As a reminder to the reader, some shells will interpret brackets ([ and
421 ]) for pattern matching. Depending on your shell, it may be necessary
422 to enclose ranged lists within quotes.
423 In-band IPMI Communication will be used when the host "localhost" is
425 specified. This allows the user to add the localhost into the hos‐
426 tranged output.
427
429 Most often, IPMI problems are due to configuration problems.
430 IPMI over LAN problems involve a misconfiguration of the remote
432 machine's BMC. Double check to make sure the following are configured
433 properly in the remote machine's BMC: IP address, MAC address, subnet
434 mask, username, user enablement, user privilege, password, LAN privi‐
435 lege, LAN enablement, and allowed authentication type(s). For IPMI 2.0
436 connections, double check to make sure the cipher suite privilege(s)
437 and K_g key are configured properly. The ipmi-config(8) tool can be
438 used to check and/or change these configuration settings.
439 Inband IPMI problems are typically caused by improperly configured
441 drivers or non-standard BMCs.
442 In addition to the troubleshooting tips below, please see WORKAROUNDS
444 below to also if there are any vendor specific bugs that have been dis‐
445 covered and worked around.
446 Listed below are many of the common issues for error messages. For
448 additional support, please e-mail the <freeipmi-users@gnu.org> mailing
449 list.
450 "username invalid" - The username entered (or a NULL username if none
452 was entered) is not available on the remote machine. It may also be
453 possible the remote BMC's username configuration is incorrect.
454 "password invalid" - The password entered (or a NULL password if none
456 was entered) is not correct. It may also be possible the password for
457 the user is not correctly configured on the remote BMC.
458 "password verification timeout" - Password verification has timed out.
460 A "password invalid" error (described above) or a generic "session
461 timeout" (described below) occurred. During this point in the protocol
462 it cannot be differentiated which occurred.
463 "k_g invalid" - The K_g key entered (or a NULL K_g key if none was
465 entered) is not correct. It may also be possible the K_g key is not
466 correctly configured on the remote BMC.
467 "privilege level insufficient" - An IPMI command requires a higher user
469 privilege than the one authenticated with. Please try to authenticate
470 with a higher privilege. This may require authenticating to a different
471 user which has a higher maximum privilege.
472 "privilege level cannot be obtained for this user" - The privilege
474 level you are attempting to authenticate with is higher than the maxi‐
475 mum allowed for this user. Please try again with a lower privilege. It
476 may also be possible the maximum privilege level allowed for a user is
477 not configured properly on the remote BMC.
478 "authentication type unavailable for attempted privilege level" - The
480 authentication type you wish to authenticate with is not available for
481 this privilege level. Please try again with an alternate authentication
482 type or alternate privilege level. It may also be possible the avail‐
483 able authentication types you can authenticate with are not correctly
484 configured on the remote BMC.
485 "cipher suite id unavailable" - The cipher suite id you wish to authen‐
487 ticate with is not available on the remote BMC. Please try again with
488 an alternate cipher suite id. It may also be possible the available
489 cipher suite ids are not correctly configured on the remote BMC.
490 "ipmi 2.0 unavailable" - IPMI 2.0 was not discovered on the remote
492 machine. Please try to use IPMI 1.5 instead.
493 "connection timeout" - Initial IPMI communication failed. A number of
495 potential errors are possible, including an invalid hostname specified,
496 an IPMI IP address cannot be resolved, IPMI is not enabled on the
497 remote server, the network connection is bad, etc. Please verify con‐
498 figuration and connectivity.
499 "session timeout" - The IPMI session has timed out. Please reconnect.
501 If this error occurs often, you may wish to increase the retransmission
502 timeout. Some remote BMCs are considerably slower than others.
503 "device not found" - The specified device could not be found. Please
505 check configuration or inputs and try again.
506 "driver timeout" - Communication with the driver or device has timed
508 out. Please try again.
509 "message timeout" - Communication with the driver or device has timed
511 out. Please try again.
512 "BMC busy" - The BMC is currently busy. It may be processing informa‐
514 tion or have too many simultaneous sessions to manage. Please wait and
515 try again.
516 "could not find inband device" - An inband device could not be found.
518 Please check configuration or specify specific device or driver on the
519 command line.
520 "driver timeout" - The inband driver has timed out communicating to the
522 local BMC or service processor. The BMC or service processor may be
523 busy or (worst case) possibly non-functioning.
524 "internal IPMI error" - An IPMI error has occurred that FreeIPMI does
526 not know how to handle. Please e-mail <freeipmi-users@gnu.org> to
527 report the issue.
528
530 Some timestamps in the SEL may report a date of 1-Jan-1970, the epoch
531 for SEL timestamps. This timestamp is not necessarily incorrect. It
532 usually indicates a hardware event that occurred before a timestamp in
533 firmware has been initialized. For example, certain hardware components
534 will have their internal clocks reset during a power cycle.
535 However, if the internal clock of the SEL appears to be regularly
537 incorrect, you may need to set the SEL time. This can be done using
538 bmc-device(8).
539 The following are common SEL related messages.
541 "sel config file parse error" - A parse error was found in the sel
543 event interpretation configuration file. Please see freeipmi_inter‐
544 pret_sel.conf(5).
545
547 With so many different vendors implementing their own IPMI solutions,
548 different vendors may implement their IPMI protocols incorrectly. The
549 following describes a number of workarounds currently available to han‐
550 dle discovered compliance issues. When possible, workarounds have been
551 implemented so they will be transparent to the user. However, some will
552 require the user to specify a workaround be used via the -W option.
553 The hardware listed below may only indicate the hardware that a problem
555 was discovered on. Newer versions of hardware may fix the problems
556 indicated below. Similar machines from vendors may or may not exhibit
557 the same problems. Different vendors may license their firmware from
558 the same IPMI firmware developer, so it may be worthwhile to try work‐
559 arounds listed below even if your motherboard is not listed.
560 If you believe your hardware has an additional compliance issue that
562 needs a workaround to be implemented, please contact the FreeIPMI main‐
563 tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
564 assumeio - This workaround flag will assume inband interfaces communi‐
566 cate with system I/O rather than being memory-mapped. This will work
567 around systems that report invalid base addresses. Those hitting this
568 issue may see "device not supported" or "could not find inband device"
569 errors. Issue observed on HP ProLiant DL145 G1.
570 spinpoll - This workaround flag will inform some inband drivers (most
572 notably the KCS driver) to spin while polling rather than putting the
573 process to sleep. This may significantly improve the wall clock running
574 time of tools because an operating system scheduler's granularity may
575 be much larger than the time it takes to perform a single IPMI message
576 transaction. However, by spinning, your system may be performing less
577 useful work by not contexting out the tool for a more useful task.
578 authcap - This workaround flag will skip early checks for username
580 capabilities, authentication capabilities, and K_g support and allow
581 IPMI authentication to succeed. It works around multiple issues in
582 which the remote system does not properly report username capabilities,
583 authentication capabilities, or K_g status. Those hitting this issue
584 may see "username invalid", "authentication type unavailable for
585 attempted privilege level", or "k_g invalid" errors. Issue observed on
586 Asus P5M2/P5MT-R/RS162-E4/RX4, Intel SR1520ML/X38ML, and Sun Fire
587 2200/4150/4450 with ELOM.
588 nochecksumcheck - This workaround flag will tell FreeIPMI to not check
590 the checksums returned from IPMI command responses. It works around
591 systems that return invalid checksums due to implementation errors, but
592 the packet is otherwise valid. Users are cautioned on the use of this
593 option, as it removes validation of packet integrity in a number of
594 circumstances. However, it is unlikely to be an issue in most situa‐
595 tions. Those hitting this issue may see "connection timeout", "session
596 timeout", or "password verification timeout" errors. On IPMI 1.5 con‐
597 nections, the "noauthcodecheck" workaround may also needed too. Issue
598 observed on Supermicro X9SCM-iiF, Supermicro X9DRi-F, and Supermicro
599 X9DRFR.
600 idzero - This workaround flag will allow empty session IDs to be
602 accepted by the client. It works around IPMI sessions that report empty
603 session IDs to the client. Those hitting this issue may see "session
604 timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
605 unexpectedauth - This workaround flag will allow unexpected non-null
607 authcodes to be checked as though they were expected. It works around
608 an issue when packets contain non-null authentication data when they
609 should be null due to disabled per-message authentication. Those hit‐
610 ting this issue may see "session timeout" errors. Issue observed on
611 Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
612 forcepermsg - This workaround flag will force per-message authentica‐
614 tion to be used no matter what is advertised by the remote system. It
615 works around an issue when per-message authentication is advertised as
616 disabled on the remote system, but it is actually required for the pro‐
617 tocol. Those hitting this issue may see "session timeout" errors.
618 Issue observed on IBM eServer 325.
619 endianseq - This workaround flag will flip the endian of the session
621 sequence numbers to allow the session to continue properly. It works
622 around IPMI 1.5 session sequence numbers that are the wrong endian.
623 Those hitting this issue may see "session timeout" errors. Issue
624 observed on some Sun ILOM 1.0/2.0 (depends on service processor
625 endian).
626 noauthcodecheck - This workaround flag will tell FreeIPMI to not check
628 the authentication codes returned from IPMI 1.5 command responses. It
629 works around systems that return invalid authentication codes due to
630 hashing or implementation errors. Users are cautioned on the use of
631 this option, as it removes an authentication check verifying the valid‐
632 ity of a packet. However, in most organizations, this is unlikely to be
633 a security issue. Those hitting this issue may see "connection time‐
634 out", "session timeout", or "password verification timeout" errors.
635 Issue observed on Xyratex FB-H8-SRAY, Intel Windmill, Quanta Winter‐
636 fell, and Wiwynn Windmill.
637 intel20 - This workaround flag will work around several Intel IPMI 2.0
639 authentication issues. The issues covered include padding of usernames,
640 and password truncation if the authentication algorithm is HMAC-
641 MD5-128. Those hitting this issue may see "username invalid", "password
642 invalid", or "k_g invalid" errors. Issue observed on Intel SE7520AF2
643 with Intel Server Management Module (Professional Edition).
644 supermicro20 - This workaround flag will work around several Supermicro
646 IPMI 2.0 authentication issues on motherboards w/ Peppercon IPMI
647 firmware. The issues covered include handling invalid length authenti‐
648 cation codes. Those hitting this issue may see "password invalid"
649 errors. Issue observed on Supermicro H8QME with SIMSO daughter card.
650 Confirmed fixed on newerver firmware.
651 sun20 - This workaround flag will work work around several Sun IPMI 2.0
653 authentication issues. The issues covered include invalid lengthed hash
654 keys, improperly hashed keys, and invalid cipher suite records. Those
655 hitting this issue may see "password invalid" or "bmc error" errors.
656 Issue observed on Sun Fire 4100/4200/4500 with ILOM. This workaround
657 automatically includes the "opensesspriv" workaround.
658 opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
660 2.0 connection protocol to workaround an invalid hashing algorithm used
661 by the remote system. The privilege level sent during the Open Session
662 stage of an IPMI 2.0 connection is used for hashing keys instead of the
663 privilege level sent during the RAKP1 connection stage. Those hitting
664 this issue may see "password invalid", "k_g invalid", or "bad rmcpplus
665 status code" errors. Issue observed on Sun Fire 4100/4200/4500 with
666 ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
667 Intel S5500WBV/Penguin Relion 700, Intel S2600JF/Appro 512X, Quanta
668 QSSC-S4R/Appro GB812X-CN, and Dell C5220. This workaround is automati‐
669 cally triggered with the "sun20" workaround.
670 integritycheckvalue - This workaround flag will work around an invalid
672 integrity check value during an IPMI 2.0 session establishment when
673 using Cipher Suite ID 0. The integrity check value should be 0 length,
674 however the remote motherboard responds with a non-empty field. Those
675 hitting this issue may see "k_g invalid" errors. Issue observed on
676 Supermicro X8DTG, Supermicro X8DTU, and Intel S5500WBV/Penguin Relion
677 700, and Intel S2600JF/Appro 512X.
678 assumesystemevent - This workaround option will assume invalid SEL
680 record types are system event records. Records may be formatted cor‐
681 rectly but report invalid record types. Those hitting this issue may
682 see "Unknown SEL Record Type" errors. Output may be unknown, pray for
683 the best. This option is confirmed to work around compliances issues on
684 HP DL 380 G5 motherboards.
685 No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
687 found to not support IPMI 1.5. Those hitting this issue may see "ipmi
688 2.0 unavailable" or "connection timeout" errors. This issue can be
689 worked around by using IPMI 2.0 instead of IPMI 1.5 by specifying
690 --driver-type=LAN_2_0. Issue observed on a number of HP and Supermicro
691 motherboards.
692
694 The following motherboards are confirmed to have atleast some support
695 by the --interpret-oem-data option. While highly probable the OEM data
696 interpretations would work across other motherboards by the same manu‐
697 facturer, there are no guarantees. Some of the motherboards below may
698 be rebranded by vendors/distributors.
699 Dell Poweredge 2900, Dell Poweredge 2950, Dell Poweredge R610, Dell
701 Poweredge R710, Fujitsu iRMC S1 and iRMC S2 systems, Intel S5500WB/Pen‐
702 guin Computing Relion 700, Intel S2600JF/Appro 512X, Intel S5000PAL,
703 Inventec 5441/Dell Xanadu II, Inventec 5442/Dell Xanadu III, Quanta
704 S99Q/Dell FS12-TY, Quanta QSSC-S4R/Appro GB812X-CN, Sun X4140 Supermi‐
705 cro X7DBR-3, Supermicro X7DB8, Supermicro X8DTN, Supermicro X7SBI-LN4,
706 Supermicro X8DTH, Supermicro X8DTG, Supermicro X8DTU, Supermicro
707 X8DT3-LN4F, Supermicro X8DTU-6+, Supermicro X8DTL, Supermicro X8DTL-3F,
708 Supermicro X8SIL-F, Supermicro X9SCL, Supermicro X9SCM, Supermicro
709 X8DTN+-F, Supermicro X8SIE, Supermicro X9SCA-F-O, Supermicro H8DGU-F,
710 Supermicro X9DRi-F, Supermicro X9DRI-LN4F+, Supermicro X9SPU-F-O,
711 Supermicro X9SCM-iiF, Wistron/Dell Poweredge C6220.
712
714 On older operating systems, if you input your username, password, and
715 other potentially security relevant information on the command line,
716 this information may be discovered by other users when using tools like
717 the ps(1) command or looking in the /proc file system. It is generally
718 more secure to input password information with options like the -P or
719 -K options. Configuring security relevant information in the FreeIPMI
720 configuration file would also be an appropriate way to hide this infor‐
721 mation.
722 In order to prevent brute force attacks, some BMCs will temporarily
724 "lock up" after a number of remote authentication errors. You may need
725 to wait awhile in order to this temporary "lock up" to pass before you
726 may authenticate again.
727
729 /etc/freeipmi//ipmiseld.conf /var/cache/ipmiseld/
730
732 Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
733
735 Copyright (C) 2012-2015 Lawrence Livermore National Security, LLC.
736 This program is free software; you can redistribute it and/or modify it
738 under the terms of the GNU General Public License as published by the
739 Free Software Foundation; either version 3 of the License, or (at your
740 option) any later version.
741
743 freeipmi(7), ipmi-sel(8), ipmiseld.conf(5), bmc-device(8), ipmi-con‐
744 fig(8), freeipmi_interpret_sel.conf(5)
745 http://www.gnu.org/software/freeipmi/
747ipmiseld 1.6.7 2021-02-12 ipmiseld(8)