Our company wants to run a report every month to check if there were any changes on the current configuration for all Cisco equipment. I know there is a way to log every single command is typed on a device using:
But that is not the best option because I do a lot of verifications on the switches and ASAs and type multiple command without changing the configuration.
Is there a way that I can log only when a change is done in the configuration?. So that way I can send them a report every month with the changes that were made.
Thank you in advance for your help!
If you looking to log changes in device it will not helpfull, since once the buffer over, it will be overwritten,
instead you can run EEM script once config changed, generate syslog event to syslog and upload config to remote server is best practice i see here.
but happy to listen if any idea available.
Thanks for this solution, but I have a question.
How will be the script for only send to the server a log file once config changed every day?
I don't want to log all the commands I type on the device.
the below will send an email daily containing the configuration changes.
It works in conjunction with the 'archive' function.
EEM script to track configuration changes:
2. configure terminal
4. log config
5. logging enable
6. logging size entries
8. notify syslog
The show archive command will show the difference between the startup and the running config and notify you by email.
event manager applet CFG_CHANGE
event timer watchdog name DAYLY time 86400
action 1.0 cli command "enable"
action 2.0 cli command "show archive config differences nvram:startup-config system:running-config"
action 3.0 mail to "email@example.com" from "firstname.lastname@example.org" server "x.x.x.x" subject "Configuration has been changed:" body "$_cli_result"
action 4.0 cli command "end"
action 5.0 cli command "exit"
I believe this is exactly what I am looking for!.
I am going to implement this and then let you know the results.
Thank you for your support on this!
Note: the EEM script is set to send the syslog the output of differential archive however the archive logging will still also capture the key strokes and send them to the syslog server
This is the error I see "Error occurred when sending mail to SMTP server"
Sep 15 2020 11:12:26.046: %PARSER-5-CFGLOG_LOGGEDCMD: User:****** logged command:!exec: enable
Sep 15 2020 11:12:27.486: %PARSER-5-CFGLOG_LOGGEDCMD: User:****** logged command:!exec: enable
Sep 15 2020 11:12:41.622: %HA_EM-3-FMPD_SMTP: Error occurred when sending mail to SMTP server: ******** : error in connecting to SMTP server
Sep 15 2020 11:12:41.622: %HA_EM-3-FMPD_ERROR: Error executing applet Config_change statement 3.0
Note: I can ping and telnet to the server from the switch.
you need to set the environment variables below:
Router(config)#event manager environment _email_to email@example.com
Router(config)#event manager environment _email_server your.mail.server
Router(config)#event manager environment _email_from firstname.lastname@example.org
I have different error this time "timeout error".
Sep 15 2020 17:16:52.611: %HA_EM-3-FMPD_SMTP: Error occurred when sending mail to SMTP server: _email_server : timeout error
Depends on the config you made at the device - if you achieve it will log all the command enter by the user, so tune that.
when any changes made by the user you get log info: "\%SYS-5-CONFIG_I: Configured"
if you like to send log to an external Syslog server and backup the config look the below thread :
sure happy to help - let us know any issues further if you encounter with an example config to review.
if no further assistance required can we mark as resolve this?
The watchdog timer is 86400 (seconds), which equals 24 hours. If you want the script to run monthly, change the timer accordingly.