[c-nsp] Syslog Patterns

Nikolay Abromov nabromov at gmail.com
Tue Jan 17 13:50:04 EST 2012 

I haven't read what the rest of the guys suggested about this topic
but this is pretty easy. Cisco is generating CONFIG_I syslog message
when running config has been changed.  The verify this you can do the
following thing (on a hardware platform).


1. configure NTP master (on the local router or if you have remote NTP)
2. wait to sync (verify with show ntp status)
3. do show run and you will see

lab-rack1#sh run
Building configuration...


Current configuration : 1480 bytes
!
! Last configuration change at 18:53:13 UTC Tue Jan 17 2012
! NVRAM config last updated at 18:52:53 UTC Tue Jan 17 2012
!

3. you can wait for another couple of mins and went to "conf t" and
check again the "Last configuration change" in the show running.




On Mon, Jan 16, 2012 at 2:10 PM, Peter Rathlev <peter at rathlev.dk> wrote:
> On Mon, 2012-01-16 at 13:18 +0200, Saku Ytti wrote:
>> On (2012-01-16 13:13 +0200), Mohammad Khalil wrote:
>> > ok , then to track configuration changes CONFIG_I is better than
>> > parser ?
>>
>> Why not combine it, if you have CONFIG_I and in preceeding lines you
>> see PARSER-5-CFGLOG_LOGGEDCMD before you see another CONFIG_I you can
>> conclusively state if configuration was changed during this CONFIG_I
>
> ... though one could enter configuration mode and issue e.g. "do show
> interface status", which would result ind a LOGGEDCMD but strictly
> speaking no configuration change. :-)
>
> We react to %SYS-5-CONFIG_I combined with ccmHistoryRunningLastChanged
> in CISCO-CONFIG-MAN-MIB. That of course sometimes results in the system
> downloading an unchanged configuration, but the change logging systems
> only logs a change if the running configuration text has actually
> changed.
>
> A full TACACS+ log (including "aaa authorization commands" and "aaa
> authorization config-commands") means that we can always go back and see
> who did what, though a system to document changes from this alone is
> IMHO too complex to be worth it.
>
> --
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



-- 
Nikolay Abromov

More information about the cisco-nsp mailing list