cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6427
Views
5
Helpful
11
Replies

EEM to track changes in configuration

Hi

If i want to track the router changes ( If could be any changes made by engineer ) through EEM then which could be the best way ?

I think to enable archive & to monitor syslog through EEM for notification ?

1 Accepted Solution

Accepted Solutions

Joe Clarke
Cisco Employee
Cisco Employee

There is no one event you can use the track all possible changes.  However, if you're talking about config changes, then yes, enable config archive with logging to syslog and use the syslog event detector to match on messages with the PARSER-5-CFGLOG_LOGGEDCMD syslog pattern.

View solution in original post

11 Replies 11

Joe Clarke
Cisco Employee
Cisco Employee

There is no one event you can use the track all possible changes.  However, if you're talking about config changes, then yes, enable config archive with logging to syslog and use the syslog event detector to match on messages with the PARSER-5-CFGLOG_LOGGEDCMD syslog pattern.

I also thought the same ,

I tried to do it with archive mode & used syslog to monitor the changes.

archive

log config

logging enable

notify syslog contenttype plaintext

hidekeys

event manager applet Config_Change

event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD"

action 1.0 info type routername

action 1.1 cli command "enable"

action 1.2 cli command "show archive log config all"

action 1.3 syslog msg "Config has been changed"

action 1.4 cli command "clear archive log config force"

But some time i got error msg that no tty line are available why ?

Please could you help me on that

If you make a lot of config changes at once, enough policies can run simultaneously to take up all of the available VTY lines.  You can quickly workaround this by reducing the number of applet threads.  Assuming 16 VTY lines, try:

event manager scheduler applet thread class default number 10

But Sir, the problem with this applet is, its creating a loop when we issue enable command in applet. Because it again triggers the loop and it goes on .

How can we prevent it ?

In this case, "enable" should not trigger an event since it's not a config command.  This syslog is only generated when commands are executed in "config t" mode.

Dear sir,

I have tried it even on 12.4(20) T advance security and its causing the loop. Pls can you check at your end on 12.4 ios ?

I am seeing this on newer IOSes.  I had though only the config mode commands were logged, but enable is included.  You have two choices.  One is to switch to use SYS-5-CONFIG_I for your trigger, and the other is to do a more specific match.  For example:

event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD.*logged command:[a-zA-Z0-9].*"

Each enable is preceded by a '!' so that shouldn't match when enable is executed.

Thanks alot really Joesph, you are great sir. I didnt know we can use regex in pattern matching

Sir, is it mentioned anywhere that we can use regex in pattern matching ?

kindly tell me

  Hi Chetan.

  I avoid the loop using two eem scripts. First use the event syslog, and increase a counter with every configuration change. Second use the event counter with a 5 seconds delay, and cleans the counter on exit, so this is executed only one time every 5 seconds. This way you could paste a large configuration, the archive log will generate ¨200¨ syslog msg for every change, but the policy will be executed only few times.

  Br

  Alex.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco