Using the event log to find intrusion alerts, Using the event log to find intrusion alerts -25 – SMC Networks SMC TigerStack II SMC6624M User Manual
Page 145
7-25
Using Passwords, Port Security, and Authorized IP Managers To Protect Against Unauthorized Access
Configuring and Monitoring Port Security
Usi
n
g P
a
sswo
rds,
P
o
rt
S
ecu
ri
ty
, an
d A
u
th
or
iz
ed
I
P
full and new intrusions are subsequently added.) The “prior to” text in the
record for the third intrusion means that a switch reset occurred at the
indicated time and that the intrusion occurred prior to the reset.
To clear the intrusion from port 1 and enable the switch to enter any subse-
quent intrusion for port 1 in the Intrusion Log, execute the
port-security 1 clear-
intrusion-flag command. If you then re-display the port status screen, you will
see that the Intrusion Alert entry for port 1 has changed to “
No”. That is, your
evidence that the Intrusion Alert flag has been reset is the Intrusion Alert
column in the port status display no longer shows “Yes” for the port on which
the intrusion occurred (port 1 in this example). (Executing
show intrusion-log
again will result in the same display as above.)
SMC TigerSwitch 10/100(config)# port-security 1 clear-
intrusion-
flag
SMC TigerSwitch 10/100(config)# show interface
Figure 7-11. Example of Port Status Screen After Alert Flags Reset
Using the Event Log To Find Intrusion Alerts
The Event Log lists port security intrusions as:
W MM/DD/YY HH:MM:SS FFI: port 3 — Security Violation
where “W” is the severity level of the log entry and FFI is the system module
that generated the entry. For further information, view the Intrusion Log.
From the CLI.
Type the
log
command from the Manager or Configuration
level.
Syntax:
log <search-text>
For <search-text>, you can use
ffi, security, or violation. For example:
Intrusion Alert on port 1 is now cleared.