Accounting options with RME4.2 (CW LMS 3.1)

Unanswered Question
Aug 7th, 2009

I configured cisoworks LMS 3.1 to use ACS authentication. "ciscoworks" is the username provided to it for SSH/ Telnetting to the devices. Is there any way to check whether a configuration change made is via the CW GUI or through the CLI of the CW server using the username "ciscoworks"?

Sure i can see the changes made to the devices via change audit but the manual changes are not reflected when done from the CLI of the CW server with the "ciscoworks" username.

Pl. help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Fri, 08/07/2009 - 11:40

First, check the syslog log file on the CiscoWorks server to make sure the config change messages from the devices are making it to the server. If not, you will need to correct that. Once RME receives a config change message, it will fetch the device config, and if there are any changes, it will create a Change Audit record. If no changes were detected, the Change Audit record will not be created.

If the messages are appearing in the server's log file, then make sure you're not filtering them out. This is done under RME > Tools > Syslog > Message Filters. By default, the messages will not be filtered, and RME should be trying to archive the configuration.

Rajiv Dasmohapatra Fri, 08/07/2009 - 12:20

As this is a new implementation, i m not filtering anything manually and as you mentioned it do not does so by default.

Next I checked and found that the logs are collected perfectly. 'coz when i login using a different username into the device from any PC (including the CW server) and then change anything the changes are logged by RME (change audit). but the only exception being the username "ciscoworks" on the CW server.

anyways i will be checking more on this before posting further query, meanwhile could you please elaboreta on what more things can be looked into to zero-in into the problem.

Joe Clarke Fri, 08/07/2009 - 12:55

If you SSH to one of your devices from the LMS server (using the "ciscoworks" user), and make an actual configuration change, you should see a syslog message generated. If you have terminal monitor enabled, you'll see this on your vty. Else, you'll need to look at show logg. Then, on the LMS server after a few minutes, you should see the same message in the syslog log file. A few seconds after that, RME should process the message, and attempt to fetch the device's config. Even before that, however, you should be able to run a Syslog Standard Report for that device in RME, and see the message (which should contain the username).

Once RME has finished archiving the config, it will create a Change Audit record. That record should also have the ciscoworks username associated with it. You can see this in the Change Audit 24-hour report. Of course, you may need to click the More Records link if you have multiple records for a given device.

Rajiv Dasmohapatra Sat, 08/08/2009 - 21:52

i found a difference. when i made some changes using the cli of the server, then it gets reflectd in the change audit as config_change or config_archive. but when i do the same changes via GUI, it gets reflected as netconfig jobs.

thanks for your help.

Joe Clarke Sat, 08/08/2009 - 22:06

Yes, this is expected. Whenever RME detects a manual change (i.e. one outside of the LMS suite), it will register it as Config Archive because that is the subsystem that detects the change. Any change which is done via Netconfig or Config Editor will be reflected as such in Change Audit.


This Discussion