Using The Event Log To Find Intrusion Alerts - HP ProCurve series 2500 Management And Configuration Manual

Using Passwords, Port Security, and Authorized IP Managers To Protect Against Unauthorized Access
Configuring and Monitoring Port Security
20 intrusion records, and deletes intrusion records only when the log becomes
full and new intrusions are subsequently added.) The " prior to " text in the
record for the third intrusion means that a switch reset occurred at the
indicated time and that the intrusion occurred prior to the reset.
To clear the intrusion from port 1 and enable the switch to enter any subse-
quent intrusion for port 1 in the Intrusion Log, execute the port-security 1 clear-
intrusion-flag command. If you then re-display the port status screen, you will
see that the Intrusion Alert entry for port 1 has changed to "No". That is, your
evidence that the Intrusion Alert flag has been reset is the Intrusion Alert
column in the port status display no longer shows "Yes" for the port on which
the intrusion occurred (port 1 in this example). (Executing
show intrusion-log
again will result in the same display as above.)
HP2512(config)# port-security 1 clear-intrusion-
HP2512(config)# show interface
Intrusion Alert on port 1 is now cleared.
Figure 7-11. Example of Port Status Screen After Alert Flags Reset

Using the Event Log To Find Intrusion Alerts

The Event Log lists port security intrusions as:
W MM/DD/YY HH:MM:SS FFI: port 3 — Security Violation
where " W " is the severity level of the log entry and FFI is the system module
that generated the entry. For further information, view the Intrusion Log.
From the CLI. Type the log command from the Manager or Configuration
level.
Syntax: log <search-text>
For <search-text>, you can use ffi, security, or violation. For example:
7-27