cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1020
Views
5
Helpful
13
Replies

RME Change Audit

Mhon Baul
Level 1
Level 1

hi,

I configured the changed audit automation to send email if there someone is configuring the device.

It's already working but my problem now is that whenever the scheduled back is running and making backup of config,

why it also sends email to me. Is there something I can do so that only purely configuaration will triggered the backup

and send email to me.

rgrds,

reymon

13 Replies 13

Joe Clarke
Cisco Employee
Cisco Employee

When a config is archived, a Change Audit record is created. This signifies RME detected a configuration change on the device. This sounds like what you want. The best filtering you can do below this is something like:

Application : Archive Mgmt

Category : CONFIG_CHANGE

hi jclarke,

Yes, this is what I had configured but what i mean to say is why a Change Audit is created when only Collection of Configuration is scheduled? It also sends email to me even no one is making a config change. Is this normal? Thanks in advanced!

rgds,

Reymon

You should get notifications whenever a config change record is created. This can happen when the periodic collector job runs, or if devices are sending syslog messages, when RME receives a config change syslog message.

Each email you get should correspond to a Change Audit record in the Change Audit report within RME. You can ge tadditional details about what actually changed from there.

what does trigger the Change Audit record? The config change syslog message received or a sperate trigger caused by a RME process _AFTER_ it detects that a real config change has happened?

If the plain config change syslog message does trigger the Change Audit record it could be a false positive...

The Archive Collection trigger the Change Audit record after the scheduled was executed. How can I stop stop this in sending email? Thanks!

You can't. That's what it's supposed to do. After the archive collection occurs, IF a configuration change was discovered, then a Change Audit record is created, and you are alerted. If the scheduled collection runs, but no change was detected, then no Change Audit record is generated, and no alert will go out.

A Change Audit record is only generated when a configuration change is detected. If the syslog message does not yield an interesting change, then no record is created, and no Change Audit event will be triggered.

Hi clarke! I just want to clarify that even a Changed Audit is already created thru syslog messages, it will generate again a Changed Audit after the Archived Collection? Thanks for your prompt response.

It can, yes. If a config change is detected after RME receives a syslog message, and another change is detected during the periodic collection, then you will get two Change Audit records, and two emails will be generated.

Thanks for the clarification. I conduct some test, I haven't made any config change and after the periodic collection it trigger the Change Audit then an email is send to me. Why is it triggering the Change Audit after periodic collection even there is no config change made?

Run the Change Audit Standard Report in RME, and find the changes that correspond to the emails. Check the details to see what RME detected as a change.

reymon_012, have you had the time to follow-up this issue? Could you verify that there was a real change?

hi mermel,

i havent yet tried it. i'll let you know once i've done this one..

regards,

reymon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: