[c-nsp] RANCID and SEC (Simple Event Correlator)

Brian Mengel bmengel at gmail.com
Fri Mar 3 15:00:30 EST 2006


Andrew,

   Thanks for the pointer.  Your example set me on the path to what I
ultimately did.  This config file takes advantage of contexts to allow for a
sliding window of sorts.  When it first recognizes a change, SEC starts a
context for the reporting device and associates a timer with the context (10
mins in my case).  If any further log messages come in indicating that the
same reporting device experienced another change, then it adds adds the
username and device IP into the context and resets the timer.  Once a 10
minute window has passed without any more config changes, it runs a simple
perl script and passes in the contents of the context.  The contents are
just a list of username/IP pairs like:

192.168.0.1 john
192.168.0.1 bob
192.168.0.1 john

The script then runs RANCID, passing in the router to diff (192.168.0.1) and
a list of people to email the config changes to (john, bob).  Then John and
Bob are responsible for accounting for the changes.

type=Single
ptype=RegExp
pattern=^\w+\s+\d+ (\d+:\d+:\d+) (\d+\.\d+\.\d+\.\d+).*SYS-5-CONFIG_I.* by
(\w+) on
desc=$2 $3
action=add rancid_$2; set rancid_$2 600 (report rancid_$2
/usr/local/rancid/rancid-run.pl)



On 2/27/06, Andrew Fort <afort at choqolat.org> wrote:
>
> On Mon, Feb 27, 2006 at 08:50:46AM -0500, Brian Mengel wrote:
> > Is anyone out there using RANCID and SEC (Simple Event Correlator) to
> help
> > perform change management on their Cisco devices?  I'm looking to set
> this
> > up but having some problems with the SEC config.  My goal is to
> configure it
> > so that SEC runs RANCID against a router when SEC sees a SYS-5-CONFIG_I
> > message come across in syslog from that router.   The only caveat being
> that
> > it should avoid running RANCID three times if three SYS-5-CONFIG_I
> messages
> > arrive in rapid succession.  I believe this is possible with the SEC,
> but
> > the precise config is escaping me.
> >
> > If anyone has any SEC config examples that could handle this and
> wouldn't
> > mind forwarding them to me, it would be much appreciate
>
> The RANCID FAQ covers this; as I wrote the entry, please let me know if
> this works for you..
>
> (http://www.shrubbery.net/rancid/FAQ):
>
> Q. I'd like to have RANCID automatically begin collection when someone
>   finishes configuring a router.  How can I do this?
> A. Using a syslog watcher script, one can trigger RANCID from the syslog
>   line emitted by, for example, an IOS router, after configuration.
>
>   Here's a simple example using the Simple Event Correlator:
>   (http://simple-evcorr.sourceforge.net/)
>
>   If the syslog line in your logs looks like this:
>
>   Apr  5 09:56:52 acc1.geo269.example.com 72: 000069: *Mar  6
> 21:40:13.466 AEDT: %SYS-5-CONFIG_I: Configured from console by gwbush on
> vty0 (10.1.1.1)
>
>   You would use a SEC configuration stanza like this:
>
>   # example rancid trigger
>   #
>   type=SingleWithSuppress
>   ptype=RegExp
>   pattern=\s\S+:\S+\S+\s(\S+)\.example\.com.*SYS-5-CONFIG_I
>   action=shellcmd /opt/rancid/bin/do-diffs -r $1
>   window=1800
>
>   This will execute the command '/opt/rancid/bin/do-diffs -r
> acc1.geo269'
>   when it is fed a line like that syslog line.  The command will be run
> at
>   most once every 1800 seconds.  If you do not get hostnames in your
>   log lines that match your router.db entries, either fix your reverse
>   DNS or remove the '-r $1' part.
>
>   Note that from v2.3, do-diffs is called rancid-run.
>
>   Running do-diffs/rancid-run from cron occasionally to catch anything
>   else in a timely manner is still recommended.
>
> ---
> -andrew
>


More information about the cisco-nsp mailing list