[c-nsp] RANCID and SEC (Simple Event Correlator)

Andrew Fort afort at choqolat.org
Mon Feb 27 20:14:25 EST 2006

On Mon, Feb 27, 2006 at 08:50:46AM -0500, Brian Mengel wrote:
> Is anyone out there using RANCID and SEC (Simple Event Correlator) to help
> perform change management on their Cisco devices?  I'm looking to set this
> up but having some problems with the SEC config.  My goal is to configure it
> so that SEC runs RANCID against a router when SEC sees a SYS-5-CONFIG_I
> message come across in syslog from that router.   The only caveat being that
> it should avoid running RANCID three times if three SYS-5-CONFIG_I messages
> arrive in rapid succession.  I believe this is possible with the SEC, but
> the precise config is escaping me.
> If anyone has any SEC config examples that could handle this and wouldn't
> mind forwarding them to me, it would be much appreciate

The RANCID FAQ covers this; as I wrote the entry, please let me know if
this works for you..


Q. I'd like to have RANCID automatically begin collection when someone
   finishes configuring a router.  How can I do this?
A. Using a syslog watcher script, one can trigger RANCID from the syslog
   line emitted by, for example, an IOS router, after configuration.

   Here's a simple example using the Simple Event Correlator:

   If the syslog line in your logs looks like this:

   Apr  5 09:56:52 acc1.geo269.example.com 72: 000069: *Mar  6
21:40:13.466 AEDT: %SYS-5-CONFIG_I: Configured from console by gwbush on
vty0 (

   You would use a SEC configuration stanza like this:

   # example rancid trigger 
   action=shellcmd /opt/rancid/bin/do-diffs -r $1

   This will execute the command '/opt/rancid/bin/do-diffs -r
   when it is fed a line like that syslog line.  The command will be run
   most once every 1800 seconds.  If you do not get hostnames in your
   log lines that match your router.db entries, either fix your reverse 
   DNS or remove the '-r $1' part.  

   Note that from v2.3, do-diffs is called rancid-run.

   Running do-diffs/rancid-run from cron occasionally to catch anything 
   else in a timely manner is still recommended.


More information about the cisco-nsp mailing list