OK, I think we are getting closer!!!!

tsai.jack, I took your suggestion and here is what's working so far:

event manager applet CONFIG_CHANGE
description Backup of Config Before Changes Made
event syslog pattern "%SYS-5-CONFIG_I: Configured from"
action 1.0 cli command "config t"
action 2.0 cli command "do copy run flash:/"

I would like to be able to automatically add the host name and time since the file created on flash is simply named "running-config".

I tried adding the following to the command with no luck:

action 2.0 cli command "do copy run flash:/$h-$t"

Thoughts?

Sorry...it should be:

event manager applet CONFIG_CHANGE
description Backup of Config Before Changes Made
event syslog pattern "%SYS-5-CONFIG_I: Configured from"

action 1.0 cli command "do copy run flash:/"

if you see  - %SYS-5-CONFIG_I: Configured from

you like to copy the run to flash:/ ?   (but flash already have running config right ?

instead try different name like copy run  flash:/myrun

you do not need to do config t here, since you are not make any changes here to copy file.

if i understand correctly ?

Hey BB,

How to I manipulate this configuration from TFTP to flash????

To get the hostname and time try this example.   The time will be epoch time.  Normal time (show clock) will have spaces in it which maybe a challenge when writing the filename.

 action 010 info type routername
 action 020 set hostname "$_info_routername"
 action 030 set epoch "$_event_pub_sec"

Daniel...thanks for the reply!!

How would I incorporate this into the existing?

event manager applet CONFIG_CHANGE
description Backup of Config Before Changes Made
event syslog pattern "%SYS-5-CONFIG_I: Configured from"
action 1.0 cli command "config t"
action 2.0 cli command "do copy run flash:/"

I tested successfully with this code.  The event detector you have currently (event syslog pattern "%SYS-5-CONFIG_I: Configured from") will trigger the script when going from config mode to exec mode so its after the configuration is written to memory.   Add command "file prompt quiet" to the running config so IOS does not prompt you for user input.

event manager applet CONFIG_CHANGE
 description Backup of Config Before Changes Made
 event none
 action 1.0 info type routername
 action 1.1 set hostname "$_info_routername"
 action 1.2 set epoch "$_event_pub_sec"
 action 1.3 cli command "enable"
 action 2.1 cli command "copy run bootflash:$hostname$epoch"
 action 2.2 syslog msg "Writing config to $_cli_result"

lab-csr5#event manager run CONFIG_CHANGE
lab-csr5#
*Jun 10 17:34:59.267: %HA_EM-6-LOG: CONFIG_CHANGE: Writing config to 
7469 bytes copied in 0.721 secs (10359 bytes/sec)

I am working on this now....

A couple of questions and forgive my ignorance:

1. Do I have to include the netconf yang? My Information Assurance dept will ask questions and I want to be able to answer them correctly.

2. When we log into our cisco devices, we are using our AD account and it automatically drops us into privileged exec. Will this matter? Is there a way to key in on when the user enters "config t" that the backup is ran?

3. And will adding the "file prompt quiet" to the run config do that for all instances or just this EEM applet?

Thank you for all of the help!

1. Do I have to include the netconf yang? My Information Assurance dept will ask questions and I want to be able to answer them correctly.

This is EEM applet, there is not requirement for netconf. if you like to do out of the box script may helpfull.

2. When we log into our cisco devices, we are using our AD account and it automatically drops us into privileged exec. Will this matter? Is there a way to key in on when the user enters "config t" that the backup is ran?

No,  i do not believe so personally.

3. And will adding the "file prompt quiet" to the run config do that for all instances or just this EEM applet?

This EEM Script only  per applet 

Daniel...

I copied your config verbatim and pasted into CLI and I cannot get it to work. I am using EEM 4.0 with Fuji 16.09.07. I cannot get it to work. See the attached debug.

I see the CLI commands being sent.  The 20 second default timer has expired while the script was executing.   Modify the event detector so that it will run for 60 seconds: "event none maxrun 60" Also is the media on your router really bootflash or is it flash?

*Jun 10 2021 19:10:12.815: %HA_EM-6-LOG: CONFIG_CHANGE : DEBUG(cli_lib) : : IN  : OFFICE-RTR-01#copy run bootflash:OFFICE-RTR-011623352212
*Jun 10 2021 19:10:12.905: cli_history_entry_add: free_hist_list size=0, hist_list size=7
*Jun 10 2021 19:10:12.905: eem_no_scan flag set, skipping scan of command_string=copy running-config bootflash:OFFICE-RTR-011623352212
%Log packet overrun, PC 0x55B401594387, format:
%s: %s

OFFICE-RTR-01(config)#
OFFICE-RTR-01(config)#
*Jun 10 2021 19:10:32.846: %HA_EM-6-LOG: CONFIG_CHANGE : DEBUG(cli_lib) : : CTL : cli_close called.
*Jun 10 2021 19:10:32.846: fh_server: fh_io_ipc_msg: received msg FH_MSG_CALLBACK_DONE from client 70 pclient 1
*Jun 10 2021 19:10:32.847: fh_io_ipc_msg: EEM callback policy CONFIG_CHANGE has ended with abnormal exit status of 0xFFFFFFFFFFFFFFFF
*Jun 10 2021 19:10:32.847: EEM policy CONFIG_CHANGE has exceeded it's elapsed time limit of 20.0 seconds
*Jun 10 2021 19:10:32.847: EEM fms_remote_chkpt_add_event_hist(), data_len = 3584, buf_size = 3596