Re: Trace Configuration Changes on Switches

Rupesh1 · ‎04-19-2019

Hello,

In our production LAN Switch environment we have Cisco ISE acting as TACACS server, We have Cisco Prime managing all switches.

Our Third party vendor have full access on our Production switches. We want to trace Configuration changes done by third party user and get notification when there is changes done by Third Party user. What will be the best approach to accomplish this ?

Reza Sharifi · ‎04-19-2019

Hi,

On the TACACS (ACS) server, you can log all user activities and then export them to something like Splunk to build a dash and alert you.

HTH

Rupesh1 · ‎04-19-2019

Hi Reza,
Thanks for quick response.

I am not familiar with splunk but I will explore. Can you please help to
understand what infrastructure do we need for splunk and is there any
licensing involved .

We have python server if that can be use here?

Also scripting is only option here?

Reza Sharifi · ‎04-19-2019

Hi,

Yes, Splunk is license based and can be expensive depends on how much you will use it. The other thing with Splunk is that you would need to do some JSON programming to get the alert you need.

I have never used this before but have a look at this link. This may be a simpler solution for what you need.

https://www.eventtracker.com/EventTracker/media/EventTracker/Files/support-docs/Integration-Guide-Cisco-ACS.pdf

HTH

Georg Pauwen · ‎04-19-2019

Hello,

you could also use the 'archive' function on the devices and run an EEM script that notifies you by email when a change to the configuration has been made.

EEM script to track configuration changes:

1. enable
2. configure terminal
3. archive
4. log config
5. logging enable
6. logging size entries
7. hidekeys
8. notify syslog
9. end

Each time the configuration is changed, it will generate a syslog message similar to this:

*Apr 19 09:52:28.129: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface GigabitEthernet0/0

You could use that to run an EEM script. The show archive command will show the difference between the startup and the running config and notify you by email.

event manager applet CFG_CHANGE
event syslog occurs 1 pattern "PARSER-5-CFGLOG_LOGGEDCMD"
action 1.0 cli command "enable"
action 2.0 cli command "show archive config differences nvram:startup-config system:running-config"
action 3.0 mail to "user@company.com" from "user@company.com" server "x.x.x.x" subject "Configuration has been changed:" body "$_cli_result"

Rupesh1 · ‎04-19-2019

Hi Georg,

Thanks for reply.

I would like to try this, But before I configure it in production please
help me to understand on below queries.

1. How frequent EEM script will run and send email notification? every time
when user enter new configuration line? or is it like when he exit
configuration mode.

2. Is it recommended to use EMM script on small switches like 2960, 3560
etc (we have at these on some branch location and I am little concern
about CPU and memory consumption due to EEM)

Georg Pauwen · ‎04-19-2019

Hello,

the script will run every time a user goes into config mode and adds a line. 'Conf t' by itself will not generate a syslog message that makes the script run, adding a line in e.g. interface configuration mode such as 'ip address 192.168.1.1 255.255.255.0' will.

CPU and memory usage shouldn't be a problem. How often do 3rd party users make these changes ?

Rupesh1 · ‎04-19-2019

Hello Georg,

3rd part users - not that frequent, 2-3 times in week.

But our in-house support team work frequently on those Switches.

Thanks
Rupesh

Georg Pauwen · ‎04-19-2019

Hello,

if you want the script only to be triggered when certain users log in, you need to change the script. The example below has two tags for 2 users, if you have more users, add additional event tags and and additional 'or' operator for the correlation.

Also, add actions 4.0 and 5.0 to the script, otherwise you might have a problem with running out of TTY lines...

event manager applet CFG_CHANGE
event tag 1 syslog occurs 1 pattern "SYS-5-CONFIG_I: Configured from console by user_1"
event tag 2 syslog occurs 1 pattern "SYS-5-CONFIG_I: Configured from console by user_2"
trigger
correlate event 1 or event 2
action 1.0 cli command "enable"
action 2.0 cli command "show archive config differences nvram:startup-config system:running-config"
action 3.0 mail to "user@company.com" from "user@company.com" server "x.x.x.x" subject "Configuration has been changed:" body "$_cli_result"
action 4.0 cli command "end"
action 5.0 cli command "exit"

Rupesh1 · ‎04-19-2019

Hello Georg,

Thanks for sharing script.

While searching on this I came across one centralized solution based on TACACS accounting feature (Which is already configured on our switches).

I also found our ISE server (TACACS+) is already receiving configuration changes message from switches.

Now only thing I need to work on is make ISE (TACACS+) to send notification/email when it receive such message. Not sure if that is possible (any inputs on this are appreciated) but I will continue my search on this.

Best Regards,

Rupesh

vasuandvasu619 · ‎12-15-2023

Hi Rupesh,

Did you got any solution for this? I also have same requirement. Please let me know if you got it.