EEM to track changes in configuration

Answered Question
Nov 14th, 2011

Hi

If i want to track the router changes ( If could be any changes made by engineer ) through EEM then which could be the best way ?

I think to enable archive & to monitor syslog through EEM for notification ?

I have this problem too.
0 votes
Correct Answer by Joseph Clarke about 2 years 4 months ago

There is no one event you can use the track all possible changes.  However, if you're talking about config changes, then yes, enable config archive with logging to syslog and use the syslog event detector to match on messages with the PARSER-5-CFGLOG_LOGGEDCMD syslog pattern.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
Joseph Clarke Mon, 11/14/2011 - 22:21

There is no one event you can use the track all possible changes.  However, if you're talking about config changes, then yes, enable config archive with logging to syslog and use the syslog event detector to match on messages with the PARSER-5-CFGLOG_LOGGEDCMD syslog pattern.

Chetan Kumar Ress Mon, 11/14/2011 - 22:52

I also thought the same ,

I tried to do it with archive mode & used syslog to monitor the changes.

archive

log config

logging enable

notify syslog contenttype plaintext

hidekeys

event manager applet Config_Change

event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD"

action 1.0 info type routername

action 1.1 cli command "enable"

action 1.2 cli command "show archive log config all"

action 1.3 syslog msg "Config has been changed"

action 1.4 cli command "clear archive log config force"

But some time i got error msg that no tty line are available why ?

Please could you help me on that

Joseph Clarke Mon, 11/14/2011 - 22:57

If you make a lot of config changes at once, enough policies can run simultaneously to take up all of the available VTY lines.  You can quickly workaround this by reducing the number of applet threads.  Assuming 16 VTY lines, try:

event manager scheduler applet thread class default number 10

Jonn.cos88 Sat, 03/03/2012 - 23:59

But Sir, the problem with this applet is, its creating a loop when we issue enable command in applet. Because it again triggers the loop and it goes on .

How can we prevent it ?

Joseph Clarke Sun, 03/04/2012 - 07:45

In this case, "enable" should not trigger an event since it's not a config command.  This syslog is only generated when commands are executed in "config t" mode.

Jonn.cos88 Sun, 03/04/2012 - 10:33

Dear sir,

I have tried it even on 12.4(20) T advance security and its causing the loop. Pls can you check at your end on 12.4 ios ?

Joseph Clarke Sun, 03/04/2012 - 10:56

I am seeing this on newer IOSes.  I had though only the config mode commands were logged, but enable is included.  You have two choices.  One is to switch to use SYS-5-CONFIG_I for your trigger, and the other is to do a more specific match.  For example:

event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD.*logged command:[a-zA-Z0-9].*"

Each enable is preceded by a '!' so that shouldn't match when enable is executed.

Jonn.cos88 Sun, 03/04/2012 - 20:16

Thanks alot really Joesph, you are great sir. I didnt know we can use regex in pattern matching

Jonn.cos88 Sun, 03/04/2012 - 20:38

Sir, is it mentioned anywhere that we can use regex in pattern matching ?

kindly tell me

aaceituno Thu, 03/22/2012 - 19:33

  Hi Chetan.

  I avoid the loop using two eem scripts. First use the event syslog, and increase a counter with every configuration change. Second use the event counter with a 5 seconds delay, and cleans the counter on exit, so this is executed only one time every 5 seconds. This way you could paste a large configuration, the archive log will generate ¨200¨ syslog msg for every change, but the policy will be executed only few times.

  Br

  Alex.

Actions

Login or Register to take actions

This Discussion

Posted November 14, 2011 at 2:21 AM
Stats:
Replies:11 Avg. Rating:5
Views:2849 Votes:0
Shares:0
Tags: eem
+

Related Content

Discussions Leaderboard

Rank Username Points
1 2,468
2 1,624
3 1,445
4 861
5 578