04-19-2019 09:52 AM
Hello,
In our production LAN Switch environment we have Cisco ISE acting as TACACS server, We have Cisco Prime managing all switches.
Our Third party vendor have full access on our Production switches. We want to trace Configuration changes done by third party user and get notification when there is changes done by Third Party user. What will be the best approach to accomplish this ?
04-19-2019 09:58 AM
Hi,
On the TACACS (ACS) server, you can log all user activities and then export them to something like Splunk to build a dash and alert you.
HTH
04-19-2019 10:18 AM
04-19-2019 10:28 AM
Hi,
Yes, Splunk is license based and can be expensive depends on how much you will use it. The other thing with Splunk is that you would need to do some JSON programming to get the alert you need.
I have never used this before but have a look at this link. This may be a simpler solution for what you need.
HTH
04-19-2019 11:02 AM - edited 04-19-2019 11:05 AM
Hello,
you could also use the 'archive' function on the devices and run an EEM script that notifies you by email when a change to the configuration has been made.
EEM script to track configuration changes:
1. enable
2. configure terminal
3. archive
4. log config
5. logging enable
6. logging size entries
7. hidekeys
8. notify syslog
9. end
Each time the configuration is changed, it will generate a syslog message similar to this:
*Apr 19 09:52:28.129: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface GigabitEthernet0/0
You could use that to run an EEM script. The show archive command will show the difference between the startup and the running config and notify you by email.
event manager applet CFG_CHANGE
event syslog occurs 1 pattern "PARSER-5-CFGLOG_LOGGEDCMD"
action 1.0 cli command "enable"
action 2.0 cli command "show archive config differences nvram:startup-config system:running-config"
action 3.0 mail to "user@company.com" from "user@company.com" server "x.x.x.x" subject "Configuration has been changed:" body "$_cli_result"
04-19-2019 11:33 AM
04-19-2019 12:02 PM
Hello,
the script will run every time a user goes into config mode and adds a line. 'Conf t' by itself will not generate a syslog message that makes the script run, adding a line in e.g. interface configuration mode such as 'ip address 192.168.1.1 255.255.255.0' will.
CPU and memory usage shouldn't be a problem. How often do 3rd party users make these changes ?
04-19-2019 12:14 PM
04-19-2019 02:21 PM
Hello,
if you want the script only to be triggered when certain users log in, you need to change the script. The example below has two tags for 2 users, if you have more users, add additional event tags and and additional 'or' operator for the correlation.
Also, add actions 4.0 and 5.0 to the script, otherwise you might have a problem with running out of TTY lines...
event manager applet CFG_CHANGE
event tag 1 syslog occurs 1 pattern "SYS-5-CONFIG_I: Configured from console by user_1"
event tag 2 syslog occurs 1 pattern "SYS-5-CONFIG_I: Configured from console by user_2"
trigger
correlate event 1 or event 2
action 1.0 cli command "enable"
action 2.0 cli command "show archive config differences nvram:startup-config system:running-config"
action 3.0 mail to "user@company.com" from "user@company.com" server "x.x.x.x" subject "Configuration has been changed:" body "$_cli_result"
action 4.0 cli command "end"
action 5.0 cli command "exit"
04-19-2019 11:28 PM
Hello Georg,
Thanks for sharing script.
While searching on this I came across one centralized solution based on TACACS accounting feature (Which is already configured on our switches).
I also found our ISE server (TACACS+) is already receiving configuration changes message from switches.
Now only thing I need to work on is make ISE (TACACS+) to send notification/email when it receive such message. Not sure if that is possible (any inputs on this are appreciated) but I will continue my search on this.
Best Regards,
Rupesh
12-15-2023 01:35 AM
Hi Rupesh,
Did you got any solution for this? I also have same requirement. Please let me know if you got it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide