I also thought the same ,
I tried to do it with archive mode & used syslog to monitor the changes.
notify syslog contenttype plaintext
event manager applet Config_Change
event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD"
action 1.0 info type routername
action 1.1 cli command "enable"
action 1.2 cli command "show archive log config all"
action 1.3 syslog msg "Config has been changed"
action 1.4 cli command "clear archive log config force"
But some time i got error msg that no tty line are available why ?
Please could you help me on that
If you make a lot of config changes at once, enough policies can run simultaneously to take up all of the available VTY lines. You can quickly workaround this by reducing the number of applet threads. Assuming 16 VTY lines, try:
event manager scheduler applet thread class default number 10
I am seeing this on newer IOSes. I had though only the config mode commands were logged, but enable is included. You have two choices. One is to switch to use SYS-5-CONFIG_I for your trigger, and the other is to do a more specific match. For example:
event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD.*logged command:[a-zA-Z0-9].*"
Each enable is preceded by a '!' so that shouldn't match when enable is executed.
I avoid the loop using two eem scripts. First use the event syslog, and increase a counter with every configuration change. Second use the event counter with a 5 seconds delay, and cleans the counter on exit, so this is executed only one time every 5 seconds. This way you could paste a large configuration, the archive log will generate ¨200¨ syslog msg for every change, but the policy will be executed only few times.