cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1803
Views
5
Helpful
9
Replies

Prime Infrastructure 2.1 - logs on devices

adir.nosrat
Beginner
Beginner

Hi,

 

when i check the logs on my devices in the network i see the following repeated message:

Nov  7 22:00:15: %SYS-5-CONFIG_I: Configured from console by *username* on vty1 (*CiscoPI_IP*)
Nov  7 22:00:37: %SYS-5-CONFIG_I: Configured from console by *username* on vty2 (*CiscoPI_IP*)
Nov  8 22:00:06: %SYS-5-CONFIG_I: Configured from console by *username* on vty1 (*CiscoPI_IP*)
Nov  8 22:00:34: %SYS-5-CONFIG_I: Configured from console by *username* on vty2 (*CiscoPI_IP*)

 

is there any option to configure so i wont see the those logs from the PI?

 

thanks in advance,

Adir

9 Replies 9

AFROJ AHMAD
Cisco Employee
Cisco Employee

Hi Adir,

 

Few suggestions and information  for this error::

The "Archive Configuration on receiving configuration change events" feature gets triggered when a config change syslog is sent to the PI server, not a trap. Network devices (routers/switches) must have the following configurations :

 

> "logging x.x.x.x"  (where x.x.x.x is the IP address of your PI server ;and

> "logging trap <severity>". The config change syslogs typically have a severity level of 5 (%SYS-5-CONFIG_I).

> "logging source interface xxx" (if the IP address used to manage the device is different to the interface sending syslog)

 

Secondly, when the PI receives a config change syslog, it will also check to see if there are any changes in the configuration. If there are no changes made in the configuration compared to the previous archive, PI will not create a new archive. If there are changes, it should then create a new archive entry.

 

In PI, only Sev 0,1,2 syslogs can be seen under Operate > Alarms & Events (anything lower than that is not logged to the Database), so in order to troubleshoot whether the PI server is receiving the Sev 5 notification - %SYS-5-CONFIG_I syslog messages, you will need to do one of the following:

 

1. TCPDUMP - e.g.  "tcpdump -v host 10.x.x.x and port 514" (where 10.x.x.xis the IP of my switch)

 

Example of output:

tcpdump -v host 10.x.x.x and port 514
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:51:50.461685 IP (tos 0x0, ttl 255, id 638, offset 0, flags [none], proto: UDP (17), length: 136) 10.x.x.x.52625 > NCS12-190.syslog: SYSLOG, length: 108
Facility local7 (23), Severity notice (5)
Msg: 639: 005755: Apr 3 01:51:49: %SYS-5-CONFIG_I: Co[|syslog]

 

2. You can dump it from the decap buffer :
" strings /opt/CSCOlumos/decap/data/SyslogRcv_Main_514 | grep CONFIG_I "

Example of output:
<189>5249: Apr  3 12:49:12: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (10.137.76.199)
<189>5250: Apr  3 12:49:21: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (10.137.76.199)

 

3. Ensure the network devices have the correct time / clock configured

 

4. Finally, note that PI will not try to archive the configuration until 10 minutes (as per Administration > System Settings > Configuration Archive > Hold off Timer) after the Syslog is recieved, to prevent clogging up VTY sessions by multiple config fetches in quick succession.

 

5. If you believe the Syslog has properly come in and the config is not fetched after the Hold Off Timer, check the ifm_config_archive.log (at TRACE level if needed) for any activity or errors at the time of the syslog

 

hope it will help

 

Thanks-

Afroz

***Ratings Encourages Contributors ****

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

first of all, thanks for the informative answer.

second, i think you didn't fully understand what my purpose is.

these logs are "exploding" my buffer, and i need it for other logs aswell.

i'm satisfied with that the PI is comuunicating with the device and archiving it's configuration but is there any way to make these logs to not be saved in the buffer?

 

thanks,

Adir

Sure. You can use a logging discriminator to prevent the message(s) from being recorded as log events, either in the local buffer or as sent to any configured external logging host.

Hi Marvin,

 

do you  know why CPI needs to enter on configuration mode *** to process archive configuration task?

*** 7 22:00:15: %SYS-5-CONFIG_I: Configured from console by *username* on vty1

 

Is there any document/guide that explain how and what type of commands is executing Prime on switches doing this task?

 

Thanks in advance.

It enters config mode during inventory collection.

I can't remember the exact command it enters while there; but the behavior is documented in BugID CSCut31699.

It was supposed to be fixed in PI 3.0 but that BugID is not listed in the resolved caveats section of the 3.0 release notes.

I checked a network with Prime Infrastructure 3.0 installed and the managed switches are still showing the events.

Many Thanks Marvin!!!

You're welcome. Please rate helpful replies.

Just to be sure...

Can you confirme (or not) that CPI really needs write permissions for SNMP & SSH (on credentials Profile)  to process "Inventory/Sync" and "Configuration Archive"?

The idea would be to use Prime as a query NMS  without possibility of writing in any device.

 

Regards.

If you give it read only credentials, it will report "partial collection failure". I have seen this firsthand.

I haven't analyzed what (if anything) is not gathered when that happens.

Instead I fixed the credentials to be RW - after validating that nothing is actually changed during normal monitoring operations (unless of course I request it via a configuration job)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers