Change Audit report does not show any changes

Unanswered Question
Nov 30th, 2007

Strange, it was working fine from the beginning but looks like somebody else change config of RME so Change Audit does not show me any changes made to network devices.

Change Audit in Tools section does not contain useful information.

Where I can look at solution of this problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Joe Clarke Sat, 12/01/2007 - 10:45

The first thing to check is that your Change Audit purge policy is not too aggressive. This is done under RME > Admin > Change Audit > Set Purge Policy. Make sure it is not purging the records for which you're trying to search.

Next, check your inventory change filter, and make sure you haven't filtered out interesting inventory changes. This is done under RME > Admin > Inventory > Inventory Change Filter. Anything that is checked will NOT be tracked by Change Audit.

Finally, make sure your configurations are actually changing on the network. While RME will attempt to fetch configurations periodicially, it will only archive a new configuration and created a Change Audit record when the configuration actually has an interesting change. The list of changes which are not interesting can be set under RME > Admin > Config Mgmt > Exclude Commands.

If none of these check out, there may be a problem with the Change Audit system. Verify that the ChangeAudit daemon is running, and check the ca.log for any obvious errors.

agipkcolon Sat, 12/01/2007 - 20:42

looks like ChangeAudit daemon works fine as I receive such kind of messages during archive sync job

Application : Archive Mgmt

RME Server :

Device : kzatswc02


Connection Mode : TELNET

Time : Sun Dec 02 07:40:00 PKT 2007

User : swiadmin

Description : Sync Archive : VLAN-RUNNING

Application : Archive Mgmt

RME Server :

Device : kzatswa122


Connection Mode : TELNET

Time : Sun Dec 02 00:25:32 PKT 2007

User : cwcsadmin

Description : System Config Polling Job : PRIMARY-RUNNING

But if I telnet to any switch and do Shutdown command on any switch it is not tracked by ChangeAudit.

purge policy is set for 180 days.

None is checked in Inventory change filter.

only default commands are configured on Exclude Commands.

Joe Clarke Sat, 12/01/2007 - 22:41

The only way Change Audit will learn about config changes is if RME finds a change when it does its periodic polling or config fetch, you schedule a manual sync archive job, or the device in question sends a config change syslog message to the LMS server, and RME is configured to process it.

The quickest way to find out about a change is to run a manual sync archive job for this device, or configure it to send syslog messages to the LMS server. Since the config change was not picked up by RME, I'll assume you have not configured the device to send syslog messages to LMS, or your config fetch automated action is disabled, or there is some problem with your syslog configuration on the LMS server. Each are fairly easy to check.

If, however, you do not want to send syslog messages to LMS for config changes, then you will need to either run a manual sync archive job on this device, or wait for periodic polling or collection to pick up the change.

agipkcolon Sun, 12/02/2007 - 01:06

I think this is about automated config fetch, as I do receive syslog messages from that device by RME. I do not want to do manual sync everytime.

the problem is that I can not find where I can enable automated config fetch on syslog notification.

agipkcolon Sun, 12/02/2007 - 01:23

I found automated actions for syslog messages. But looks like somebody modified system configured config fetch and now it only sends email. How can I change it to config fetch action?

Joe Clarke Sun, 12/02/2007 - 09:52

Wow, that should not be possible to do, but it is in RME 4.0.5 and 4.0.6. You cannot edit the action type in RME 4.1. There is no way to revert this without going into the rmeng database. You should open a TAC services request, and the engineer can walk you through the steps.


This Discussion