Need to find out what has been modified to running-config

Unanswered Question
Jul 18th, 2008
User Badges:

Hello,

When I enter the "reload" command, Cisco ASA 5510 asks me

a question: System config has been modified Save? [Y]es/[N]o:


All I did was issuing a few "show" commands before the "reload" command. I definitely need to find out what

has been modified before the reboot


Is there any way to find out what has been modified to the running configuration.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

If you want to know when changes are made, but don't want to setup TACACS (and you have a syslog server setup), you can have the router syslog all commands entered while in config mode:


devcorert01#conf t

devcorert01(config)#archive

devcorert01(config-archive)#log config

devcorert01(config-archive-log-cfg)#hidekeys

devcorert01(config-archive-log-cfg)#logging enable

devcorert01(config-archive-log-cfg)#notify syslog


Anytime someone enters any command while in config mode, the command will be sent to your syslog server.


Examples:

Jul 21 10:15:41 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:do sh run

Jul 21 10:17:33 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface GigabitEthernet2/2

Jul 21 10:17:38 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:shutdown

Jul 21 10:17:42 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no shutdown


Note the "do show run". Even thought that is not a config command per se, it was entered while in config mode. Also notice the user is "console". If it was from a telnet session, you would see


Jul 21 10:17:33 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:interface GigabitEthernet2/2

Jul 21 10:17:38 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:shutdown

Jul 21 10:17:42 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no shutdown


Mike


michael.leblanc Mon, 07/21/2008 - 07:25
User Badges:
  • Silver, 250 points or more

Enter the following on the CLI:


show archive config differences nvram:startup-config system:running-config


Lines preceded with "+" are only found in the running-config. Lines preceded with "-" are absent from the running-config (i.e.: only found in the startup-config).


Jagdeep Gambhir Tue, 07/22/2008 - 05:29
User Badges:
  • Red, 2250 points or more

In ASA if you are doing tacacs command accounting then it will logs only those command that change the running config.


Since show command do not change any config , so it won't be reported by tacacs.


Regards,

~JG




michael.leblanc Tue, 07/22/2008 - 10:44
User Badges:
  • Silver, 250 points or more

Re: My post above.


Lost sight of the fact that you were using an ASA. Sorry about that.


show archive config differences nvram:startup-config system:running-config


... would be useful on an IOS device.


Actions

This Discussion