Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

EEM to track changes in configuration

Hi

If i want to track the router changes ( If could be any changes made by engineer ) through EEM then which could be the best way ?

I think to enable archive & to monitor syslog through EEM for notification ?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: EEM to track changes in configuration

There is no one event you can use the track all possible changes.  However, if you're talking about config changes, then yes, enable config archive with logging to syslog and use the syslog event detector to match on messages with the PARSER-5-CFGLOG_LOGGEDCMD syslog pattern.

11 REPLIES
Cisco Employee

Re: EEM to track changes in configuration

There is no one event you can use the track all possible changes.  However, if you're talking about config changes, then yes, enable config archive with logging to syslog and use the syslog event detector to match on messages with the PARSER-5-CFGLOG_LOGGEDCMD syslog pattern.

Re: EEM to track changes in configuration

I also thought the same ,

I tried to do it with archive mode & used syslog to monitor the changes.

archive

log config

logging enable

notify syslog contenttype plaintext

hidekeys

event manager applet Config_Change

event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD"

action 1.0 info type routername

action 1.1 cli command "enable"

action 1.2 cli command "show archive log config all"

action 1.3 syslog msg "Config has been changed"

action 1.4 cli command "clear archive log config force"

But some time i got error msg that no tty line are available why ?

Please could you help me on that

Cisco Employee

EEM to track changes in configuration

If you make a lot of config changes at once, enough policies can run simultaneously to take up all of the available VTY lines.  You can quickly workaround this by reducing the number of applet threads.  Assuming 16 VTY lines, try:

event manager scheduler applet thread class default number 10

New Member

EEM to track changes in configuration

But Sir, the problem with this applet is, its creating a loop when we issue enable command in applet. Because it again triggers the loop and it goes on .

How can we prevent it ?

Cisco Employee

EEM to track changes in configuration

In this case, "enable" should not trigger an event since it's not a config command.  This syslog is only generated when commands are executed in "config t" mode.

New Member

EEM to track changes in configuration

Dear sir,

I have tried it even on 12.4(20) T advance security and its causing the loop. Pls can you check at your end on 12.4 ios ?

Cisco Employee

EEM to track changes in configuration

I am seeing this on newer IOSes.  I had though only the config mode commands were logged, but enable is included.  You have two choices.  One is to switch to use SYS-5-CONFIG_I for your trigger, and the other is to do a more specific match.  For example:

event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD.*logged command:[a-zA-Z0-9].*"

Each enable is preceded by a '!' so that shouldn't match when enable is executed.

New Member

EEM to track changes in configuration

Thanks alot really Joesph, you are great sir. I didnt know we can use regex in pattern matching

New Member

EEM to track changes in configuration

Sir, is it mentioned anywhere that we can use regex in pattern matching ?

kindly tell me

Cisco Employee

EEM to track changes in configuration

Re: EEM to track changes in configuration

  Hi Chetan.

  I avoid the loop using two eem scripts. First use the event syslog, and increase a counter with every configuration change. Second use the event counter with a 5 seconds delay, and cleans the counter on exit, so this is executed only one time every 5 seconds. This way you could paste a large configuration, the archive log will generate ¨200¨ syslog msg for every change, but the policy will be executed only few times.

  Br

  Alex.

3405
Views
5
Helpful
11
Replies