Need to find out what has been modified to running-config

Unanswered Question
Jul 18th, 2008

Hello,

When I enter the "reload" command, Cisco ASA 5510 asks me

a question: System config has been modified Save? [Y]es/[N]o:


All I did was issuing a few "show" commands before the "reload" command. I definitely need to find out what

has been modified before the reboot


Is there any way to find out what has been modified to the running configuration.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

If you want to know when changes are made, but don't want to setup TACACS (and you have a syslog server setup), you can have the router syslog all commands entered while in config mode:


devcorert01#conf t

devcorert01(config)#archive

devcorert01(config-archive)#log config

devcorert01(config-archive-log-cfg)#hidekeys

devcorert01(config-archive-log-cfg)#logging enable

devcorert01(config-archive-log-cfg)#notify syslog


Anytime someone enters any command while in config mode, the command will be sent to your syslog server.


Examples:

Jul 21 10:15:41 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:do sh run

Jul 21 10:17:33 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface GigabitEthernet2/2

Jul 21 10:17:38 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:shutdown

Jul 21 10:17:42 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no shutdown


Note the "do show run". Even thought that is not a config command per se, it was entered while in config mode. Also notice the user is "console". If it was from a telnet session, you would see


Jul 21 10:17:33 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:interface GigabitEthernet2/2

Jul 21 10:17:38 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:shutdown

Jul 21 10:17:42 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no shutdown


Mike


michael.leblanc Mon, 07/21/2008 - 07:25

Enter the following on the CLI:


show archive config differences nvram:startup-config system:running-config


Lines preceded with "+" are only found in the running-config. Lines preceded with "-" are absent from the running-config (i.e.: only found in the startup-config).


Jagdeep Gambhir Tue, 07/22/2008 - 05:29

In ASA if you are doing tacacs command accounting then it will logs only those command that change the running config.


Since show command do not change any config , so it won't be reported by tacacs.


Regards,

~JG




michael.leblanc Tue, 07/22/2008 - 10:44

Re: My post above.


Lost sight of the fact that you were using an ASA. Sorry about that.


show archive config differences nvram:startup-config system:running-config


... would be useful on an IOS device.


Actions

This Discussion