[c-nsp] Syslog Patterns

Peter Rathlev peter at rathlev.dk
Mon Jan 16 07:10:31 EST 2012


On Mon, 2012-01-16 at 13:18 +0200, Saku Ytti wrote:
> On (2012-01-16 13:13 +0200), Mohammad Khalil wrote:
> > ok , then to track configuration changes CONFIG_I is better than
> > parser ?
> 
> Why not combine it, if you have CONFIG_I and in preceeding lines you
> see PARSER-5-CFGLOG_LOGGEDCMD before you see another CONFIG_I you can
> conclusively state if configuration was changed during this CONFIG_I

... though one could enter configuration mode and issue e.g. "do show
interface status", which would result ind a LOGGEDCMD but strictly
speaking no configuration change. :-)

We react to %SYS-5-CONFIG_I combined with ccmHistoryRunningLastChanged
in CISCO-CONFIG-MAN-MIB. That of course sometimes results in the system
downloading an unchanged configuration, but the change logging systems
only logs a change if the running configuration text has actually
changed.

A full TACACS+ log (including "aaa authorization commands" and "aaa
authorization config-commands") means that we can always go back and see
who did what, though a system to document changes from this alone is
IMHO too complex to be worth it.

-- 
Peter




More information about the cisco-nsp mailing list