running config/logging change log

petercinvest · ‎09-16-2015

the last running config is modified at April.3.2015, when network engineer log in Sep.5, after login/logout, the show run command shows running config is updated at Sep.5.

but network engineer says he didn't change any configuration, so how to verify which are the commands he add in the running config at Sep.5?

how to know the length of time system keep logging info, if I run show logging in Sep.12, I find error log of Aug.15 is missing

thanks

Mark Malone · ‎09-16-2015

You cant really verify after the fact the exact changes that have been made unless it was previously setup or you have some 3rd party software recording changes like LMS/Prime and matching configurations. If you have taken a pervious show run you could match the new 1 against it

Your system will keep logging set as long as the buffer is set in show log, you can increase it but you should always log to external source as to prevent loosing logging if router reboots as its stored in nvram

On the router to capture changes like this you should have archiving setup

There are a few ways to do it, notify syslog send to flash or tftp etc , see this doc for guidelines on how to setup for capturing future changes

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-3s/config-mgmt-xe-3s-book/cm-config-logger.html#GUID-A499326A-FC6F-4F60-AF74-2972A16A3F47

Steve Fuller · ‎09-16-2015

Hi,

What you're able to gather will probably depend upon the OS type and verison running on the switch.

"so how to verify which are the commands he add in the running config at Sep.5?"

What is the platform type and which OS version is it running? If it's a recent Cisco IOS based platform you could try the command show archive config differences system:running-config nvram:startup-config. See Contextual Configuration Diff Utility for more details.

"how to know the length of time system keep logging info, if I run show logging in Sep.12, I find error log of Aug.15 is missing"

Do you mean that there are logs for days before and after Aug-15, but those for the day of Aug-15 are missing? Or do you mean the log only goes as far as Aug-15. The log on a router or switch will typically "wrap" with the older log messages being over-written, and obviously the number of log messages will affect how old the earliest message is. For example if you had an interface that was continually going up/dow, you'd find the log wraps very quickly. The size of the log can vary by platform and on IOS devices can be changed using the logging buffered <log_size> command.

Regards

petercinvest · ‎09-16-2015

which command I can use to check how old switch keep the logging info, 28 days, 1 month, 2 month?

Steve Fuller · ‎09-16-2015

Hi,

A switch doesn't keep log messages for a specific period of time, but rather keeps as many messages as will fit into the buffer, which has a value configured in bytes. If you run the command show logging you'll see the size shown as Log Buffer (xxxx bytes) just prior to the first log message. The first message after the Log Buffer line is the oldest message. For example:

c1kv-1#sh log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
[..]
Log Buffer (4096 bytes):
tate to up
*Sep  6 15:52:50.043: %CONFIG_CSRLXC-5-CONFIG_DONE: Configuration was applied and saved to NVRAM. See bootflash:/csrlxc-cfg.log for more details.
*Sep  6 15:52:50.972: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to up
*Sep  6 15:52:50.978: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2, changed state to up

Here you can see I have a router with a 4096-byte buffer and messages dating back to Sep-6 at 15:52:50.

If there are low numbers of messages per day, then you'll be able to see older messages than if you have a high number of messages per day.

Regards