Re: Log configuration changes on cisco devices

JustoSocarras27727 · ‎09-14-2020

Hello,

Our company wants to run a report every month to check if there were any changes on the current configuration for all Cisco equipment. I know there is a way to log every single command is typed on a device using:

1-archive

2-log config

3-logging enable

But that is not the best option because I do a lot of verifications on the switches and ASAs and type multiple command without changing the configuration.

Is there a way that I can log only when a change is done in the configuration?. So that way I can send them a report every month with the changes that were made.

Thank you in advance for your help!

balaji.bandi · ‎09-14-2020

If you looking to log changes in device it will not helpfull, since once the buffer over, it will be overwritten,

instead you can run EEM script once config changed, generate syslog event to syslog and upload config to remote server is best practice i see here.

but happy to listen if any idea available.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JustoSocarras27727 · ‎09-14-2020

Hi BB,

Thanks for this solution, but I have a question.

How will be the script for only send to the server a log file once config changed every day?

I don't want to log all the commands I type on the device.

Thanks.

Georg Pauwen · ‎09-14-2020

Hello,

the below will send an email daily containing the configuration changes.

It works in conjunction with the 'archive' function.

EEM script to track configuration changes:

1. enable
2. configure terminal
3. archive
4. log config
5. logging enable
6. logging size entries
7. hidekeys
8. notify syslog
9. end

The show archive command will show the difference between the startup and the running config and notify you by email.

event manager applet CFG_CHANGE
event timer watchdog name DAYLY time 86400
action 1.0 cli command "enable"
action 2.0 cli command "show archive config differences nvram:startup-config system:running-config"
action 3.0 mail to "user@company.com" from "user@company.com" server "x.x.x.x" subject "Configuration has been changed:" body "$_cli_result"
action 4.0 cli command "end"
action 5.0 cli command "exit"

JustoSocarras27727 · ‎09-14-2020

Hello Georg,

I believe this is exactly what I am looking for!.

I am going to implement this and then let you know the results.

Thank you for your support on this!

paul driver · ‎09-14-2020

Hello
Note: the EEM script is set to send the syslog the output of differential archive however the archive logging will still also capture the key strokes and send them to the syslog server

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

JustoSocarras27727 · ‎09-15-2020

Hi Georg,

This is the error I see "Error occurred when sending mail to SMTP server"

Sep 15 2020 11:12:26.046: %PARSER-5-CFGLOG_LOGGEDCMD: User:****** logged command:!exec: enable
Sep 15 2020 11:12:27.486: %PARSER-5-CFGLOG_LOGGEDCMD: User:****** logged command:!exec: enable
Sep 15 2020 11:12:41.622: %HA_EM-3-FMPD_SMTP: Error occurred when sending mail to SMTP server: ******** : error in connecting to SMTP server
Sep 15 2020 11:12:41.622: %HA_EM-3-FMPD_ERROR: Error executing applet Config_change statement 3.0

Note: I can ping and telnet to the server from the switch.

Please help.

Thank you.

Georg Pauwen · ‎09-15-2020

Hello,

you need to set the environment variables below:

Router(config)#event manager environment _email_to your-to-mail@domain.com
Router(config)#event manager environment _email_server your.mail.server
Router(config)#event manager environment _email_from your-from-mail@domain.com

JustoSocarras27727 · ‎09-15-2020

Hello Georg,

I have different error this time "timeout error".

Sep 15 2020 17:16:52.611: %HA_EM-3-FMPD_SMTP: Error occurred when sending mail to SMTP server: _email_server : timeout error

Regards,

balaji.bandi · ‎09-14-2020

Depends on the config you made at the device - if you achieve it will log all the command enter by the user, so tune that.

when any changes made by the user you get log info: "\%SYS-5-CONFIG_I: Configured"

if you like to send log to an external Syslog server and backup the config look the below thread :

https://community.cisco.com/t5/network-management/eem-backup-config-when-changes-made/td-p/2020494

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JustoSocarras27727 · ‎09-14-2020

Thanks BB for the reference link and your help. I really appreciate it!.

balaji.bandi · ‎09-14-2020

sure happy to help - let us know any issues further if you encounter with an example config to review.

if no further assistance required can we mark as resolve this?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JustoSocarras27727 · ‎09-14-2020

BB,

Please allow me to implement the configuration and then I will let you know if that resolve.

Thanks.

Georg Pauwen · ‎09-14-2020

The watchdog timer is 86400 (seconds), which equals 24 hours. If you want the script to run monthly, change the timer accordingly.