Provided by: freeipmi-ipmiseld_1.6.9-2ubuntu0.22.04.2_amd64 bug

NAME

       ipmiseld - IPMI SEL logging daemon

SYNOPSIS

       ipmiseld [OPTION...]

DESCRIPTION

       The  ipmiseld  daemon  polls  the system event log (SEL) of specified hosts and stores the
       logs into the local syslog. By default, the daemon can also make best  efforts  to  manage
       the  remote  SEL's  buffer  to  ensure  events are never lost. Recent logging data will be
       cached to disk to ensure that SEL events are not missed in the event the client or  server
       is rebooted.

       Many  of  the  options for this daemon are very similar to the ipmi-sel(8) tool. It can be
       configured to log the local host, a remote host, or a range of hosts to the local  syslog.
       It   can   be  configured  via  the  command  line  arguments  listed  below  or  via  the
       /etc/freeipmi//ipmiseld.conf configuration file.

       Listed  below  are  general  IPMI  options,  tool  specific  options,   trouble   shooting
       information,   workaround   information,   examples,  and  known  issues.  For  a  general
       introduction to FreeIPMI please see freeipmi(7).

GENERAL OPTIONS

       The following options are general options for configuring IPMI communication and executing
       general tool commands.

       -D IPMIDRIVER, --driver-type=IPMIDRIVER
              Specify  the  driver type to use instead of doing an auto selection.  The currently
              available outofband drivers are LAN and LAN_2_0, which perform IPMI  1.5  and  IPMI
              2.0  respectively.  The currently available inband drivers are KCS, SSIF, OPENIPMI,
              SUNBMC, and INTELDCMI.

       --disable-auto-probe
              Do not probe in-band IPMI devices for default settings.

       --driver-address=DRIVER-ADDRESS
              Specify the in-band driver address to be used instead of the probed value.  DRIVER-
              ADDRESS should be prefixed with "0x" for a hex value and '0' for an octal value.

       --driver-device=DEVICE
              Specify the in-band driver device path to be used instead of the probed path.

       --register-spacing=REGISTER-SPACING
              Specify  the  in-band driver register spacing instead of the probed value. Argument
              is in bytes (i.e. 32bit register spacing = 4)

       --target-channel-number=CHANNEL-NUMBER
              Specify the in-band driver target channel number to send IPMI requests to.

       --target-slave-address=SLAVE-ADDRESS
              Specify the in-band driver target slave number to send IPMI requests to.

       -h IPMIHOST1,IPMIHOST2,..., --hostname=IPMIHOST1[:PORT],IPMIHOST2[:PORT],...
              Specify the remote host(s) to communicate with. Multiple hostnames may be separated
              by  comma  or  may be specified in a range format; see HOSTRANGED SUPPORT below. An
              optional port can be specified  with  each  host,  which  may  be  useful  in  port
              forwarding  or similar situations.  If specifying an IPv6 address and port, use the
              format [ADDRESS]:PORT.

       -u USERNAME, --username=USERNAME
              Specify the username to use when authenticating  with  the  remote  host.   If  not
              specified,  a null (i.e. anonymous) username is assumed. The user must have atleast
              USER privileges in order for this tool to operate fully.

       -p PASSWORD, --password=PASSWORD
              Specify the password to use when authenticationg with  the  remote  host.   If  not
              specified,  a  null password is assumed. Maximum password length is 16 for IPMI 1.5
              and 20 for IPMI 2.0.

       -P, --password-prompt
              Prompt for password to avoid possibility of listing it in process lists.

       -k K_G, --k-g=K_G
              Specify the K_g BMC key to use when authenticating with the remote  host  for  IPMI
              2.0. If not specified, a null key is assumed. To input the key in hexadecimal form,
              prefix the string with '0x'. E.g., the key 'abc' can be entered with the either the
              string 'abc' or the string '0x616263'

       -K, --k-g-prompt
              Prompt for k-g to avoid possibility of listing it in process lists.

       --session-timeout=MILLISECONDS
              Specify  the  session  timeout  in milliseconds. Defaults to 20000 milliseconds (20
              seconds) if not specified.

       --retransmission-timeout=MILLISECONDS
              Specify the  packet  retransmission  timeout  in  milliseconds.  Defaults  to  1000
              milliseconds  (1  second)  if  not  specified. The retransmission timeout cannot be
              larger than the session timeout.

       -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
              Specify  the  IPMI  1.5  authentication  type  to  use.  The  currently   available
              authentication types are NONE, STRAIGHT_PASSWORD_KEY, MD2, and MD5. Defaults to MD5
              if not specified.

       -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID identifies  a  set
              of  authentication,  integrity,  and confidentiality algorithms to use for IPMI 2.0
              communication. The authentication algorithm identifies the  algorithm  to  use  for
              session  setup, the integrity algorithm identifies the algorithm to use for session
              packet signatures, and the confidentiality algorithm identifies  the  algorithm  to
              use  for  payload  encryption.  Defaults to cipher suite ID 3 if not specified. The
              following cipher suite ids are currently supported:

              0 - Authentication Algorithm = None; Integrity Algorithm  =  None;  Confidentiality
              Algorithm = None

              1   -   Authentication   Algorithm   =   HMAC-SHA1;  Integrity  Algorithm  =  None;
              Confidentiality Algorithm = None

              2 - Authentication Algorithm  =  HMAC-SHA1;  Integrity  Algorithm  =  HMAC-SHA1-96;
              Confidentiality Algorithm = None

              3  -  Authentication  Algorithm  =  HMAC-SHA1;  Integrity Algorithm = HMAC-SHA1-96;
              Confidentiality Algorithm = AES-CBC-128

              6  -  Authentication  Algorithm   =   HMAC-MD5;   Integrity   Algorithm   =   None;
              Confidentiality Algorithm = None

              7  -  Authentication  Algorithm  =  HMAC-MD5;  Integrity  Algorithm = HMAC-MD5-128;
              Confidentiality Algorithm = None

              8 - Authentication  Algorithm  =  HMAC-MD5;  Integrity  Algorithm  =  HMAC-MD5-128;
              Confidentiality Algorithm = AES-CBC-128

              11   -   Authentication  Algorithm  =  HMAC-MD5;  Integrity  Algorithm  =  MD5-128;
              Confidentiality Algorithm = None

              12  -  Authentication  Algorithm  =  HMAC-MD5;  Integrity  Algorithm   =   MD5-128;
              Confidentiality Algorithm = AES-CBC-128

              15   -   Authentication  Algorithm  =  HMAC-SHA256;  Integrity  Algorithm  =  None;
              Confidentiality Algorithm = None

              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm = HMAC_SHA256_128;
              Confidentiality Algorithm = None

              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm = HMAC_SHA256_128;
              Confidentiality Algorithm = AES-CBC-128

       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
              Specify the privilege level to be used. The currently  available  privilege  levels
              are USER, OPERATOR, and ADMIN. Defaults to OPERATOR if not specified.

       --config-file=FILE
              Specify an alternate configuration file.

       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
              Specify  workarounds  to  vendor  compliance  issues.  Multiple  workarounds can be
              specified separated by commas. A special command line flag of "none", will indicate
              no  workarounds (may be useful for overriding configured defaults). See WORKAROUNDS
              below for a list of available workarounds.

       --debug
              Turn on debugging.

       -?, --help
              Output a help list and exit.

       --usage
              Output a usage message and exit.

       -V, --version
              Output the program version and exit.

IPMISELD OPTIONS

       The following options are specific to ipmiseld.

       -v     Log verbose information. This option will log additional information.  Most notably
              it  will  output additional hex codes to given information on ambiguous SEL entries
              or SEL records. For example, it will output Generator  ID  hex  codes  for  sensors
              without  names.  Additional  non-critical SEL errors or issues will also be logged.
              Somewhat common errors, such as timeouts or invalid  hostnames,  will  output  with
              increased verbosity.

       -t SENSOR-TYPE-LIST, --sensor-types=SENSOR-TYPE-LIST
              Specify sensor types of SEL events to log. By default, all sensor types are logged.
              A special command line type of "all", will indicate all types should be shown  (may
              be  useful  for overriding configured defaults). Multiple types can be separated by
              commas  or   spaces.    Users   may   specify   sensor   types   by   string   (see
              --list-sensor-types in ipmi-sel(8)) or by number (decimal or hex).

       -T SENSOR-TYPE-LIST, --exclude-sensor-types=SENSOR-TYPE-LIST
              Specify  sensor  types  of  SEL  events to not log. By default, no sensor types are
              filtered. A special command line type of "none", will indicate no types  should  be
              excluded  (may be useful for overriding configured defaults). Multiple types can be
              separated by commas or spaces. Users  may  specify  sensor  types  by  string  (see
              --list-sensor-types in ipmi-sel(8)) or by number (decimal or hex).

       --system-event-only
              Log only system event records (i.e. don't log OEM records).

       --oem-event-only
              Log only OEM event records (i.e. don't log system event records).

       --event-state-config-file=FILE
              Specify an alternate event state configuration file.

       --interpret-oem-data
              Attempt  to  interpret  OEM  data,  such as event data, sensor readings, or general
              extra info, etc. If an OEM interpretation is not available, the default output will
              be  generated.  Correctness  of  OEM  interpretations  cannot  be guaranteed due to
              potential changes OEM  vendors  may  make  in  products,  firmware,  etc.  See  OEM
              INTERPRETATION below for confirmed supported motherboard interpretations.

       --entity-sensor-names
              Output  sensor  names  prefixed  with  their  entity  id  and  instance number when
              appropriate. This may be necessary on  some  motherboards  to  help  identify  what
              sensors are referencing. For example, a motherboard may have multiple sensors named
              'TEMP'. The entity id and instance number may help clarify which sensor  refers  to
              "Processor 1" vs. "Processor 2".

       --non-abbreviated-units
              Output   non-abbreviated   units   (e.g.   'Amps'  instead  of  'A').  May  aid  in
              disambiguation of units (e.g. 'C' for Celsius or Coulombs).

       --event-state-filter=FILTERSTRING
              Specify event states to be  filtered  out  and  not  logged.  Possible  inputs  are
              NOMINAL,  WARNING,  CRITICAL,  and  NA.  Multiple states can be listed separated by
              comma. The special case string of "none" will indicate no event  states  should  be
              excluded (may be useful for overriding configured defaults).

       --warning-threshold=PERCENTINT
              Specify  SEL  fullness  warning threshold as an integer percentage. When the SEL is
              past this percentage full, a warning will be output indicating that SEL  is  nearly
              full. Specify 0 to disable warning logs. Defaults to 80.

       --clear-threshold=PERCENTINT
              Specify SEL fullness clear threshold as an integer percentage. When the SEL is past
              this percentage full, ipmiseld will attempt to clear the SEL. Specify 0 to  disable
              clearing.  When the SEL is full, it will be the responsibility of the user to clear
              the SEL manually if clearing is disabled. Defaults to 0. If specified to a non-zero
              value, be careful that the clearing of the SEL could affect other applications that
              monitor  the  SEL,  such  as  monitoring  applications  that  use  ipmi-sel(8)   or
              libipmimonitoring(3).

       --system-event-format=FORMATSTRING
              Specify  the  format  of  the  log  output  when a SEL system event is encountered.
              Defaults to "SEL System Event: %d, %t, %s, %I, %E" if logging locally, "SEL  System
              Event(%h): %d, %t, %s, %I, %E" if logging outofband or with hostranges. See SEL LOG
              FORMAT STRING below for formatting details.

       --oem-timestamped-event-format=FORMATSTRING
              Specify the format  of  the  log  output  when  a  SEL  OEM  timestamped  event  is
              encountered.  Defaults  to "SEL OEM Event: %d, %t, %I, %o" if logging locally, "SEL
              OEM Event(%h): %d, %t, %I, %o" if logging outofband or with  hostranges..  See  SEL
              LOG FORMAT STRING below for formatting details.

       --oem-non-timestamped-event-format=FORMATSTRING
              Specify  the  format  of  the  log  output  when a SEL OEM non-timestamped event is
              encountered. Defaults to "SEL OEM Event: %I,  %o"  if  logging  locally,  "SEL  OEM
              Event(%h):  %I,  %o"  if  logging outofband or with hostranges.. See SEL LOG FORMAT
              STRING below for formatting details.

       --poll-interval=SECONDS
              Specify the poll interval to check the SEL for new events. Defaults to 300  seconds
              (i.e. 5 minutes).

       --log-facility=STRING
              Specify  the  log  facility  to  use.  Defaults  to  LOG_DAEMON.  Legal  inputs are
              LOG_DAEMON, LOG_USER, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2,  LOG_LOCAL3,  LOG_LOCAL4,
              LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7.

       --log-priority=STRING
              Specify  the  log priority to use. Defaults to LOG_ERR. Legal inputs are LOG_EMERG,
              LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG.

       --cache-directory=DIRECTORY
              Specify an alternate cache directory  location  for  ipmiseld  to  use.  The  cache
              directory  will  be  used  to  cache  a wide variety of data, including the SDR and
              recent logging information to ensure log entries are  not  missed  on  reboots  and
              other system failures.

       --ignore-sdr
              Ignore  SDR  related  processing. May lead to incomplete or less useful information
              being output, however it will allow functionality for systems without SDRs or  when
              the correct SDR cannot be loaded.

       --re-download-sdr
              Re-download  the  SDR  on  start  even if it is not out of date. This may help work
              around systems that do not properly timestamp SDR modification times.

       --clear-sel
              On startup, clear any SEL being monitored. May be useful  the  first  time  running
              ipmiseld to avoid warning messages or SEL clears until a long time in the future.

       --threadpool-count=NUM
              Specify the number of threads for parallel SEL polling. This option is very similar
              to the --fanout option in ipmi-sel(8) but the threads  are  created  only  once  on
              initialization  for  faster processing. Defaults to 8, however the threadpool count
              will always be decreased if the number of nodes specified is less than  the  number
              of threads.

       --test-run
              Do  not  daemonize, output the current SEL of configured hosts as a test of current
              settings and configuration. SEL entries will be output to stdout instead of syslog.

       --foreground
              Run daemon in the foreground. SEL entries will  be  output  to  stdout  instead  of
              syslog.

SEL LOG FORMAT STRING

       The  output  format  of  log  messages  can  be  adjusted  via  the --system-event-format,
       --oem-timestamped-event-format  and  --oem-non-timestamped-event-format  options.  Options
       such  as  --interpret-oem-data,  --entity-sensor-names,  and  --non-abbreviated-units  can
       further adjust the output format. The following conversion directives will allow the  user
       to output specifics of each SEL event that occurs.

       For System, OEM timestamped, and OEM non-timestamped events

       %h - target host, useful if logging from multiple hosts

       %i - record ID in decimal

       %I - event state interpretation (NOMINAL, WARNING, or CRITICAL)

       For System and OEM timestamped events

       %t - time in format H:M:S using 24 hour clock

       %d - date in format D-M-YEAR

       For System events

       %T - sensor type

       %s - sensor name

       %e - event data 1 string

       %f - event data 2 string [2]

       %h - event data 3 string

       %c - combined event data 2 and event data 3 string

       %p - event data 2 previous state string

       %S - event data 2 severity string

       %E - combined event data 1, 2, and 3 string

       %k - event direction

       For OEM timestamped events

       %m - manufacturer id

       For OEM timestamped and OEM non-timestamped events

       %o - oem data in hex

       %O - OEM supplied string describing the event (depends on manufacturer)

HOSTRANGED SUPPORT

       Multiple  hosts  can  be  input  either as an explicit comma separated lists of hosts or a
       range of hostnames in the general form: prefix[n-m,l-k,...], where n < m and l <  k,  etc.
       The  later  form  should  not  be confused with regular expression character classes (also
       denoted by []). For  example,  foo[19]  does  not  represent  foo1  or  foo9,  but  rather
       represents a degenerate range: foo19.

       This  range  syntax  is  meant  only  as  a convenience on clusters with a prefixNN naming
       convention and specification of ranges should not be  considered  necessary  --  the  list
       foo1,foo9 could be specified as such, or by the range foo[1,9].

       Some examples of range usage follow:
           foo[01-05] instead of foo01,foo02,foo03,foo04,foo05
           foo[7,9-10] instead of foo7,foo9,foo10
           foo[0-3] instead of foo0,foo1,foo2,foo3

       As  a  reminder  to  the reader, some shells will interpret brackets ([ and ]) for pattern
       matching. Depending on your shell, it may be necessary  to  enclose  ranged  lists  within
       quotes.

       In-band  IPMI  Communication  will  be  used  when the host "localhost" is specified. This
       allows the user to add the localhost into the hostranged output.

GENERAL TROUBLESHOOTING

       Most often, IPMI problems are due to configuration problems.

       IPMI over LAN problems involve a misconfiguration of the  remote  machine's  BMC.   Double
       check  to  make sure the following are configured properly in the remote machine's BMC: IP
       address, MAC address, subnet mask, username, user enablement,  user  privilege,  password,
       LAN   privilege,  LAN  enablement,  and  allowed  authentication  type(s).  For  IPMI  2.0
       connections, double check to make sure the cipher  suite  privilege(s)  and  K_g  key  are
       configured  properly.  The  ipmi-config(8)  tool  can be used to check and/or change these
       configuration settings.

       Inband IPMI problems are typically caused by improperly configured drivers or non-standard
       BMCs.

       In  addition  to  the  troubleshooting tips below, please see WORKAROUNDS below to also if
       there are any vendor specific bugs that have been discovered and worked around.

       Listed below are many of the common issues for error messages.   For  additional  support,
       please e-mail the <freeipmi-users@gnu.org> mailing list.

       "username  invalid" - The username entered (or a NULL username if none was entered) is not
       available on the remote machine. It  may  also  be  possible  the  remote  BMC's  username
       configuration is incorrect.

       "password  invalid" - The password entered (or a NULL password if none was entered) is not
       correct. It may also be possible the password for the user is not correctly configured  on
       the remote BMC.

       "password  verification  timeout"  -  Password  verification  has  timed out.  A "password
       invalid" error  (described  above)  or  a  generic  "session  timeout"  (described  below)
       occurred.  During this point in the protocol it cannot be differentiated which occurred.

       "k_g  invalid"  -  The  K_g  key  entered  (or  a NULL K_g key if none was entered) is not
       correct. It may also be possible the K_g key is not correctly  configured  on  the  remote
       BMC.

       "privilege level insufficient" - An IPMI command requires a higher user privilege than the
       one authenticated with. Please try to authenticate  with  a  higher  privilege.  This  may
       require authenticating to a different user which has a higher maximum privilege.

       "privilege  level  cannot  be  obtained  for  this  user"  -  The  privilege level you are
       attempting to authenticate with is higher than the maximum allowed for this  user.  Please
       try  again  with  a  lower  privilege. It may also be possible the maximum privilege level
       allowed for a user is not configured properly on the remote BMC.

       "authentication type unavailable for attempted privilege level" - The authentication  type
       you  wish to authenticate with is not available for this privilege level. Please try again
       with an alternate authentication type  or  alternate  privilege  level.  It  may  also  be
       possible  the  available  authentication types you can authenticate with are not correctly
       configured on the remote BMC.

       "cipher suite id unavailable" - The cipher suite id you wish to authenticate with  is  not
       available  on  the  remote BMC. Please try again with an alternate cipher suite id. It may
       also be possible the available cipher suite ids are not correctly configured on the remote
       BMC.

       "ipmi  2.0 unavailable" - IPMI 2.0 was not discovered on the remote machine. Please try to
       use IPMI 1.5 instead.

       "connection timeout" - Initial IPMI communication failed. A number of potential errors are
       possible,  including an invalid hostname specified, an IPMI IP address cannot be resolved,
       IPMI is not enabled on the remote server, the  network  connection  is  bad,  etc.  Please
       verify configuration and connectivity.

       "session  timeout"  -  The  IPMI  session  has timed out. Please reconnect.  If this error
       occurs often, you may wish to increase the retransmission timeout. Some  remote  BMCs  are
       considerably slower than others.

       "device  not  found" - The specified device could not be found. Please check configuration
       or inputs and try again.

       "driver timeout" - Communication with the driver or  device  has  timed  out.  Please  try
       again.

       "message  timeout"  -  Communication  with  the driver or device has timed out. Please try
       again.

       "BMC busy" - The BMC is currently busy. It may be processing information or have too  many
       simultaneous sessions to manage. Please wait and try again.

       "could  not  find  inband  device"  -  An  inband device could not be found.  Please check
       configuration or specify specific device or driver on the command line.

       "driver timeout" - The inband driver has timed out  communicating  to  the  local  BMC  or
       service  processor. The BMC or service processor may be busy or (worst case) possibly non-
       functioning.

       "internal IPMI error" - An IPMI error has occurred that FreeIPMI  does  not  know  how  to
       handle. Please e-mail <freeipmi-users@gnu.org> to report the issue.

IPMISELD TROUBLESHOOTING

       Some  timestamps in the SEL may report a date of 1-Jan-1970, the epoch for SEL timestamps.
       This timestamp is not necessarily incorrect. It usually indicates a  hardware  event  that
       occurred  before  a  timestamp  in  firmware  has  been  initialized. For example, certain
       hardware components will have their internal clocks reset during a power cycle.

       However, if the internal clock of the SEL appears to be regularly incorrect, you may  need
       to set the SEL time. This can be done using bmc-device(8).

       The following are common SEL related messages.

       "sel  config  file  parse error" - A parse error was found in the sel event interpretation
       configuration file. Please see freeipmi_interpret_sel.conf(5).

WORKAROUNDS

       With so many different vendors implementing their own IPMI  solutions,  different  vendors
       may  implement  their  IPMI  protocols  incorrectly.  The  following describes a number of
       workarounds currently available to handle discovered  compliance  issues.  When  possible,
       workarounds  have  been implemented so they will be transparent to the user. However, some
       will require the user to specify a workaround be used via the -W option.

       The hardware listed below may only indicate the hardware that a problem was discovered on.
       Newer  versions  of  hardware  may fix the problems indicated below. Similar machines from
       vendors may or may not exhibit the same problems.  Different  vendors  may  license  their
       firmware from the same IPMI firmware developer, so it may be worthwhile to try workarounds
       listed below even if your motherboard is not listed.

       If you believe your hardware has an additional compliance issue that needs a workaround to
       be  implemented,  please  contact  the FreeIPMI maintainers on <freeipmi-users@gnu.org> or
       <freeipmi-devel@gnu.org>.

       assumeio - This workaround flag will assume inband interfaces communicate with system  I/O
       rather  than  being  memory-mapped. This will work around systems that report invalid base
       addresses. Those hitting this issue may see "device not  supported"  or  "could  not  find
       inband device" errors.  Issue observed on HP ProLiant DL145 G1.

       spinpoll  -  This  workaround  flag  will inform some inband drivers (most notably the KCS
       driver) to spin while  polling  rather  than  putting  the  process  to  sleep.  This  may
       significantly  improve  the  wall  clock running time of tools because an operating system
       scheduler's granularity may be much larger than the time it takes to perform a single IPMI
       message  transaction. However, by spinning, your system may be performing less useful work
       by not contexting out the tool for a more useful task.

       authcap -  This  workaround  flag  will  skip  early  checks  for  username  capabilities,
       authentication  capabilities, and K_g support and allow IPMI authentication to succeed. It
       works around multiple issues in which the remote system does not properly report  username
       capabilities, authentication capabilities, or K_g status. Those hitting this issue may see
       "username invalid", "authentication type unavailable for attempted  privilege  level",  or
       "k_g   invalid"   errors.    Issue   observed   on  Asus  P5M2/P5MT-R/RS162-E4/RX4,  Intel
       SR1520ML/X38ML, and Sun Fire 2200/4150/4450 with ELOM.

       nochecksumcheck - This workaround flag will tell  FreeIPMI  to  not  check  the  checksums
       returned  from  IPMI  command  responses.  It  works  around  systems  that return invalid
       checksums due to implementation errors, but the  packet  is  otherwise  valid.  Users  are
       cautioned  on  the  use  of this option, as it removes validation of packet integrity in a
       number of circumstances. However, it is unlikely to be an issue in most situations.  Those
       hitting  this  issue  may  see  "connection  timeout",  "session  timeout",  or  "password
       verification timeout" errors. On IPMI 1.5 connections,  the  "noauthcodecheck"  workaround
       may  also  needed  too.  Issue  observed  on Supermicro X9SCM-iiF, Supermicro X9DRi-F, and
       Supermicro X9DRFR.

       idzero - This workaround flag will allow empty session IDs to be accepted by  the  client.
       It  works  around IPMI sessions that report empty session IDs to the client. Those hitting
       this issue may see "session timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.

       unexpectedauth - This workaround flag will  allow  unexpected  non-null  authcodes  to  be
       checked  as  though they were expected. It works around an issue when packets contain non-
       null  authentication  data  when  they  should  be  null  due  to   disabled   per-message
       authentication.  Those hitting this issue may see "session timeout" errors. Issue observed
       on Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.

       forcepermsg - This workaround flag will force per-message authentication  to  be  used  no
       matter  what is advertised by the remote system. It works around an issue when per-message
       authentication is advertised as disabled on the remote system, but it is actually required
       for  the  protocol.  Those  hitting  this  issue  may see "session timeout" errors.  Issue
       observed on IBM eServer 325.

       endianseq - This workaround flag will flip the endian of the session sequence  numbers  to
       allow  the session to continue properly. It works around IPMI 1.5 session sequence numbers
       that are the wrong endian.  Those hitting this issue may  see  "session  timeout"  errors.
       Issue observed on some Sun ILOM 1.0/2.0 (depends on service processor endian).

       noauthcodecheck  - This workaround flag will tell FreeIPMI to not check the authentication
       codes returned from IPMI 1.5 command  responses.  It  works  around  systems  that  return
       invalid  authentication codes due to hashing or implementation errors. Users are cautioned
       on the use of this option, as it removes an authentication check verifying the validity of
       a  packet.  However, in most organizations, this is unlikely to be a security issue. Those
       hitting  this  issue  may  see  "connection  timeout",  "session  timeout",  or  "password
       verification  timeout"  errors.   Issue  observed  on  Xyratex FB-H8-SRAY, Intel Windmill,
       Quanta Winterfell, and Wiwynn Windmill.

       intel20 - This workaround flag will work around  several  Intel  IPMI  2.0  authentication
       issues.  The  issues  covered include padding of usernames, and password truncation if the
       authentication algorithm is HMAC-MD5-128. Those  hitting  this  issue  may  see  "username
       invalid",  "password  invalid", or "k_g invalid" errors. Issue observed on Intel SE7520AF2
       with Intel Server Management Module (Professional Edition).

       supermicro20 -  This  workaround  flag  will  work  around  several  Supermicro  IPMI  2.0
       authentication  issues  on  motherboards  w/  Peppercon  IPMI firmware. The issues covered
       include handling invalid length authentication codes. Those hitting  this  issue  may  see
       "password  invalid"  errors.  Issue observed on Supermicro H8QME with SIMSO daughter card.
       Confirmed fixed on newerver firmware.

       sun20 - This workaround flag will work work around several  Sun  IPMI  2.0  authentication
       issues. The issues covered include invalid lengthed hash keys, improperly hashed keys, and
       invalid cipher suite records. Those hitting this issue may see "password invalid" or  "bmc
       error"  errors.   Issue  observed  on  Sun Fire 4100/4200/4500 with ILOM.  This workaround
       automatically includes the "opensesspriv" workaround.

       opensesspriv - This workaround flag will slightly alter  FreeIPMI's  IPMI  2.0  connection
       protocol  to  workaround  an  invalid  hashing  algorithm  used  by the remote system. The
       privilege level sent during the Open Session stage of an IPMI 2.0 connection is  used  for
       hashing  keys instead of the privilege level sent during the RAKP1 connection stage. Those
       hitting this issue may see "password invalid", "k_g  invalid",  or  "bad  rmcpplus  status
       code"  errors.   Issue  observed  on Sun Fire 4100/4200/4500 with ILOM, Inventec 5441/Dell
       Xanadu II, Supermicro X8DTH, Supermicro X8DTG, Intel S5500WBV/Penguin  Relion  700,  Intel
       S2600JF/Appro  512X,  Quanta  QSSC-S4R/Appro GB812X-CN, and Dell C5220. This workaround is
       automatically triggered with the "sun20" workaround.

       integritycheckvalue - This workaround flag will work around  an  invalid  integrity  check
       value during an IPMI 2.0 session establishment when using Cipher Suite ID 0. The integrity
       check value should be 0 length, however the remote motherboard responds with  a  non-empty
       field. Those hitting this issue may see "k_g invalid" errors. Issue observed on Supermicro
       X8DTG, Supermicro X8DTU, and Intel S5500WBV/Penguin Relion 700,  and  Intel  S2600JF/Appro
       512X.

       assumesystemevent - This workaround option will assume invalid SEL record types are system
       event records. Records may be formatted correctly but report invalid record  types.  Those
       hitting  this  issue may see "Unknown SEL Record Type" errors. Output may be unknown, pray
       for the best. This option is confirmed to work around compliances issues on HP DL  380  G5
       motherboards.

       No  IPMI  1.5  Support  -  Some  motherboards that support IPMI 2.0 have been found to not
       support IPMI 1.5. Those hitting this issue may see "ipmi 2.0 unavailable"  or  "connection
       timeout"  errors. This issue can be worked around by using IPMI 2.0 instead of IPMI 1.5 by
       specifying --driver-type=LAN_2_0.  Issue  observed  on  a  number  of  HP  and  Supermicro
       motherboards.

OEM INTERPRETATION

       The  following motherboards are confirmed to have atleast some support by the --interpret-
       oem-data option. While highly probable the OEM  data  interpretations  would  work  across
       other  motherboards  by  the  same  manufacturer,  there  are  no  guarantees. Some of the
       motherboards below may be rebranded by vendors/distributors.

       Dell Poweredge 2900, Dell Poweredge  2950,  Dell  Poweredge  R610,  Dell  Poweredge  R710,
       Fujitsu  iRMC  S1  and  iRMC S2 systems, Intel S5500WB/Penguin Computing Relion 700, Intel
       S2600JF/Appro 512X, Intel S5000PAL,  Inventec  5441/Dell  Xanadu  II,  Inventec  5442/Dell
       Xanadu   III,  Quanta  S99Q/Dell  FS12-TY,  Quanta  QSSC-S4R/Appro  GB812X-CN,  Sun  X4140
       Supermicro X7DBR-3, Supermicro X7DB8, Supermicro X8DTN, Supermicro  X7SBI-LN4,  Supermicro
       X8DTH,  Supermicro  X8DTG,  Supermicro  X8DTU, Supermicro X8DT3-LN4F, Supermicro X8DTU-6+,
       Supermicro X8DTL, Supermicro X8DTL-3F, Supermicro X8SIL-F,  Supermicro  X9SCL,  Supermicro
       X9SCM,  Supermicro  X8DTN+-F,  Supermicro X8SIE, Supermicro X9SCA-F-O, Supermicro H8DGU-F,
       Supermicro X9DRi-F, Supermicro X9DRI-LN4F+, Supermicro  X9SPU-F-O,  Supermicro  X9SCM-iiF,
       Wistron/Dell Poweredge C6220.

KNOWN ISSUES

       On  older  operating  systems, if you input your username, password, and other potentially
       security relevant information on the command line, this information may be  discovered  by
       other  users  when using tools like the ps(1) command or looking in the /proc file system.
       It is generally more secure to input password information with options like the -P  or  -K
       options.  Configuring  security  relevant  information  in the FreeIPMI configuration file
       would also be an appropriate way to hide this information.

       In order to prevent brute force attacks, some BMCs will  temporarily  "lock  up"  after  a
       number  of  remote  authentication  errors.  You  may need to wait awhile in order to this
       temporary "lock up" to pass before you may authenticate again.

FILES

       /etc/freeipmi//ipmiseld.conf /var/cache/ipmiseld/

REPORTING BUGS

       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.

COPYRIGHT

       Copyright (C) 2012-2015 Lawrence Livermore National Security, LLC.

       This program is free software; you can redistribute it and/or modify it under the terms of
       the  GNU  General  Public  License  as  published  by the Free Software Foundation; either
       version 3 of the License, or (at your option) any later version.

SEE ALSO

       freeipmi(7),     ipmi-sel(8),     ipmiseld.conf(5),     bmc-device(8),     ipmi-config(8),
       freeipmi_interpret_sel.conf(5)

       http://www.gnu.org/software/freeipmi/