RME Change Audit

Unanswered Question
Mar 13th, 2009


I configured the changed audit automation to send email if there someone is configuring the device.

It's already working but my problem now is that whenever the scheduled back is running and making backup of config,

why it also sends email to me. Is there something I can do so that only purely configuaration will triggered the backup

and send email to me.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Joe Clarke Fri, 03/13/2009 - 11:28

When a config is archived, a Change Audit record is created. This signifies RME detected a configuration change on the device. This sounds like what you want. The best filtering you can do below this is something like:

Application : Archive Mgmt


Mhon Baul Fri, 03/13/2009 - 17:16

hi jclarke,

Yes, this is what I had configured but what i mean to say is why a Change Audit is created when only Collection of Configuration is scheduled? It also sends email to me even no one is making a config change. Is this normal? Thanks in advanced!



Joe Clarke Fri, 03/13/2009 - 20:25

You should get notifications whenever a config change record is created. This can happen when the periodic collector job runs, or if devices are sending syslog messages, when RME receives a config change syslog message.

Each email you get should correspond to a Change Audit record in the Change Audit report within RME. You can ge tadditional details about what actually changed from there.

Martin Ermel Sat, 03/14/2009 - 03:54

what does trigger the Change Audit record? The config change syslog message received or a sperate trigger caused by a RME process _AFTER_ it detects that a real config change has happened?

If the plain config change syslog message does trigger the Change Audit record it could be a false positive...

Mhon Baul Sat, 03/14/2009 - 06:42

The Archive Collection trigger the Change Audit record after the scheduled was executed. How can I stop stop this in sending email? Thanks!

Joe Clarke Sat, 03/14/2009 - 11:12

You can't. That's what it's supposed to do. After the archive collection occurs, IF a configuration change was discovered, then a Change Audit record is created, and you are alerted. If the scheduled collection runs, but no change was detected, then no Change Audit record is generated, and no alert will go out.

Joe Clarke Sat, 03/14/2009 - 11:13

A Change Audit record is only generated when a configuration change is detected. If the syslog message does not yield an interesting change, then no record is created, and no Change Audit event will be triggered.

Mhon Baul Sat, 03/14/2009 - 20:10

Hi clarke! I just want to clarify that even a Changed Audit is already created thru syslog messages, it will generate again a Changed Audit after the Archived Collection? Thanks for your prompt response.

Joe Clarke Sat, 03/14/2009 - 20:16

It can, yes. If a config change is detected after RME receives a syslog message, and another change is detected during the periodic collection, then you will get two Change Audit records, and two emails will be generated.

Mhon Baul Sat, 03/14/2009 - 20:32

Thanks for the clarification. I conduct some test, I haven't made any config change and after the periodic collection it trigger the Change Audit then an email is send to me. Why is it triggering the Change Audit after periodic collection even there is no config change made?

Joe Clarke Sat, 03/14/2009 - 21:54

Run the Change Audit Standard Report in RME, and find the changes that correspond to the emails. Check the details to see what RME detected as a change.

Martin Ermel Tue, 04/07/2009 - 01:48

reymon_012, have you had the time to follow-up this issue? Could you verify that there was a real change?

Mhon Baul Mon, 04/13/2009 - 02:05

hi mermel,

i havent yet tried it. i'll let you know once i've done this one..




This Discussion