11-25-2014 05:47 AM
Hi,
when i check the logs on my devices in the network i see the following repeated message:
Nov 7 22:00:15: %SYS-5-CONFIG_I: Configured from console by *username* on vty1 (*CiscoPI_IP*) Nov 7 22:00:37: %SYS-5-CONFIG_I: Configured from console by *username* on vty2 (*CiscoPI_IP*) Nov 8 22:00:06: %SYS-5-CONFIG_I: Configured from console by *username* on vty1 (*CiscoPI_IP*) Nov 8 22:00:34: %SYS-5-CONFIG_I: Configured from console by *username* on vty2 (*CiscoPI_IP*)
is there any option to configure so i wont see the those logs from the PI?
thanks in advance,
Adir
11-25-2014 06:59 AM
Hi Adir,
Few suggestions and information for this error::
The "Archive Configuration on receiving configuration change events" feature gets triggered when a config change syslog is sent to the PI server, not a trap. Network devices (routers/switches) must have the following configurations :
> "logging x.x.x.x" (where x.x.x.x is the IP address of your PI server ;and
> "logging trap <severity>". The config change syslogs typically have a severity level of 5 (%SYS-5-CONFIG_I).
> "logging source interface xxx" (if the IP address used to manage the device is different to the interface sending syslog)
Secondly, when the PI receives a config change syslog, it will also check to see if there are any changes in the configuration. If there are no changes made in the configuration compared to the previous archive, PI will not create a new archive. If there are changes, it should then create a new archive entry.
In PI, only Sev 0,1,2 syslogs can be seen under Operate > Alarms & Events (anything lower than that is not logged to the Database), so in order to troubleshoot whether the PI server is receiving the Sev 5 notification - %SYS-5-CONFIG_I syslog messages, you will need to do one of the following:
1. TCPDUMP - e.g. "tcpdump -v host 10.x.x.x and port 514" (where 10.x.x.xis the IP of my switch)
Example of output:
tcpdump -v host 10.x.x.x and port 514
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:51:50.461685 IP (tos 0x0, ttl 255, id 638, offset 0, flags [none], proto: UDP (17), length: 136) 10.x.x.x.52625 > NCS12-190.syslog: SYSLOG, length: 108
Facility local7 (23), Severity notice (5)
Msg: 639: 005755: Apr 3 01:51:49: %SYS-5-CONFIG_I: Co[|syslog]
2. You can dump it from the decap buffer :
" strings /opt/CSCOlumos/decap/data/SyslogRcv_Main_514 | grep CONFIG_I "
Example of output:
<189>5249: Apr 3 12:49:12: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (10.137.76.199)
<189>5250: Apr 3 12:49:21: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (10.137.76.199)
3. Ensure the network devices have the correct time / clock configured
4. Finally, note that PI will not try to archive the configuration until 10 minutes (as per Administration > System Settings > Configuration Archive > Hold off Timer) after the Syslog is recieved, to prevent clogging up VTY sessions by multiple config fetches in quick succession.
5. If you believe the Syslog has properly come in and the config is not fetched after the Hold Off Timer, check the ifm_config_archive.log (at TRACE level if needed) for any activity or errors at the time of the syslog
hope it will help
Thanks-
Afroz
***Ratings Encourages Contributors ****
11-26-2014 05:30 AM
first of all, thanks for the informative answer.
second, i think you didn't fully understand what my purpose is.
these logs are "exploding" my buffer, and i need it for other logs aswell.
i'm satisfied with that the PI is comuunicating with the device and archiving it's configuration but is there any way to make these logs to not be saved in the buffer?
thanks,
Adir
11-26-2014 05:56 AM
Sure. You can use a logging discriminator to prevent the message(s) from being recorded as log events, either in the local buffer or as sent to any configured external logging host.
10-14-2015 06:47 AM
Hi Marvin,
do you know why CPI needs to enter on configuration mode *** to process archive configuration task?
*** 7 22:00:15: %SYS-5-CONFIG_I: Configured from console by *username* on vty1
Is there any document/guide that explain how and what type of commands is executing Prime on switches doing this task?
Thanks in advance.
10-14-2015 06:56 AM
It enters config mode during inventory collection.
I can't remember the exact command it enters while there; but the behavior is documented in BugID CSCut31699.
It was supposed to be fixed in PI 3.0 but that BugID is not listed in the resolved caveats section of the 3.0 release notes.
I checked a network with Prime Infrastructure 3.0 installed and the managed switches are still showing the events.
10-14-2015 06:57 AM
Many Thanks Marvin!!!
10-14-2015 06:58 AM
You're welcome. Please rate helpful replies.
10-14-2015 08:58 AM
Just to be sure...
Can you confirme (or not) that CPI really needs write permissions for SNMP & SSH (on credentials Profile) to process "Inventory/Sync" and "Configuration Archive"?
The idea would be to use Prime as a query NMS without possibility of writing in any device.
Regards.
10-14-2015 09:04 AM
If you give it read only credentials, it will report "partial collection failure". I have seen this firsthand.
I haven't analyzed what (if anything) is not gathered when that happens.
Instead I fixed the credentials to be RW - after validating that nothing is actually changed during normal monitoring operations (unless of course I request it via a configuration job)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide