Trying to run a report that tracks changes and who made them to Layer 2 devices. Tried Change Audit and Audit Trail reports for switches I know have been changed recently. Audit requirement that I have this info. Can anyone help?
The Audit Trail report lists who did what in what RME application. The Change Audit report will list device changes made through the RME applications, or those detected by syslog messages or polling. If someone made a change to a device outside of RME, and syslog messages are not enabled on the device, or you are not sending syslog messages to the RME server, then it may be some time before RME picks up the change. You can adjust your periodic polling interval under RME > Admin > Config Mgmt > Collection Settings.
For getting network changes logged in Change Audit Reports you first have to define the 'Exception Period' - the time when no changes should occur. If there are changes detected in this time range anyway they get logged.
All changes are recorded even if an exception period was not recorded. You should always be able to run a 24-hour report or Standard Report to get the list of changes.
Thanks for the response. To clarify, changes are made outside of RME (telnet)unless we have a massive change we want to push. I turned on logging to the IP address of CW and made a change. I see reference to the change when I run the Standard report. The report message says "Syslog triggered Config Collection: VLAN Running". It also references my IP Address as the host initiating the change. I'm looking for detail that would show the specific change made and the user/login that made the change. I get a message "CM0036: The config file cannot be displayed as this could be a binary file". Don't really know the product or what I'm doing. Is there a way I can get a report that shows the specific change(s) and usrname that made them? Thanks again for your help.
For this particular change, you will not be able to see the details. The vlan.dat is a binary file, and cannot be viewed. However, if you make a genuine, interesting change to the running config, for example, you will see a Change Audit record with diff details. Interesting changes are those not listed in RME > Admin > Config Mgmt > Exclude Commands.
Thanks again. The only entry in Exclude Commands for Switches and Hubs is ntp clock-period. If I understand you correctly, I should see a record in Change Audit of any change to the running config (i.e., speed/duplex, description, username/password, etc) that is NOT part of that list. So, everything but ntp clock-period. I don't see the changes I make. I'll admit again to not knowing this product and maybe I'm not doing something correctly. Is there anything I could provide you that would help you help me? Thanks again.
Again, Greek to me. Don't know the product(can't get off the hook for supporting it either!) so I don't understand your suggestion of where to look to confirm archiving.
The log files are kept in NMSROOT\log on Windows and /var/adm/CSCOpx/log on Solaris. There is one log, the dcmaservice.log, that tracks the config archive process. A Change Audit record will only be created after the config has been successfully archived. If the config change is being detected, but the Change Audit record is not being created, then something must be going wrong in the archive process.
Sorry for the delay in responding. This got moved to back burner. I consulted with our server group and they don't find NMSROOT\log. I've attached what they did find as it pertains to log files. Can you tell us specifically what log file we should be looking for? Is the absence of NMSROOT\log the issue. I'm afraid I don't speak server. Please reply and I'll do my best to get the answers you may need in order to help me. Thanks again.
Hi Joseph, i know i am replying to an old thread, but i guess you might be able to help me?
When my cisco works archive the configuration, it shows me configuration changes fine.
But what i want when ever a user make change and get out of config mode of router, the change sould be visible in Cisco works, but thats not happening, any thoughts ? ( syslog is enabled on router already and pointing towards cisco works IP )
What you're describing may be normal. LMS will not archive a new version of the config if nothing interesting changed. Interesting changes are those that are not found in the excluded commands list for the particular device class. While LMS does check the config (and may even download it), it will not force unnecessary repository churn just because someone enters and leaves config mode.
If you are seeing actual changes ignored when someone leaves config mode (i.e., not picked up until the next scheduled archive) then you should start a new thread to address your particular problem.
hi Jospeh, you are right, thats what i need to know. i jave started a new thread, can you help me out please
i know you are the only champ on cisco works here
Below is link to new thread.
help me please.