Re: So you have show cli hist,

abrissonnet · ‎04-02-2016

Hi everyone,

Is there a way to log all cli command without TACACS server on IOS-XR (like "archive config" in IOS/IOS-XE) ?

I know that "show cli history detail" can print all command, but I wand to store them in log and to external syslog server.

Thanks in advance

Eddie Chami · ‎04-02-2016

So you have show cli hist,

you have the commit database which stores all the configs modified,

you can also archive logs,

you can also automatically export the config on every commit,

But there isn't a native function that export the commands punched on the cli, you can script it.

What are you trying to achieve whats the end goal?

Eddie.

OWE GRAFFORD · ‎02-04-2019

Reason.

Why can't IOS-XR support nice opreatioal feature that classic IOS has?

Second.

Now in the world of automation and scripting. It would be nice to easy make a complete list what users do from the CLI in a network based on hundreds of ASR9Ks. Specially when we establish node access over a portal instead Then prepopulated with "top-of-the-poplist" with filtered and nice structured CLI commands.

Etc. Etc....

Owe Grafford

Aleksandar Vidakovic · ‎02-04-2019

Configurations on many IOS-XR devices tend to be large. I know about instances where it takes 5 minutes to display the full running config. Hence archiving full config after every update may become a challenge from disk space utilisation. The "sh configuration commit list" allows to go back and check on the last 100 commit updates, which would be the equivalent of the most recent 100 archived configurations.

For the centralised monitoring of command executed by users: have you considered tacacs for that purpose? Instead of polling the CLI history from each router, you could simply poll that from the tacacs server.

/Aleksandar

OWE GRAFFORD · ‎02-04-2019

Hi Aleksandar,

Thanks for the very quick response!

Our goal is to centralize only the cli commands and the actual configuration
commands ( stored in each "sh conf commit changes xxxx" ), not the result of
the commands or the configuration itself.

The can store 5000 commands, which is less than 4
days of history in our ASR9ks, mostly due to our check scripts.

Not all commits contains something relevant to an network issue. Not
centralizing those commands makes it difficult to find patterns and compare
with other networks changes and/or behavior.

There has been no problem logging configuration commands from Classic IOS
devices (%PARSER-5-CFGLOG_LOGGEDCMD: ) such as large 7600-based PE-routers.
So from a end user perspective I found it strange that very powerful IOS-XR
based platforms can't cope with the load of forwarding some commands.

The idea of accessing the data in the tacacs-server is in our case
unfortunately not a way forward since we are not in control of that platform
by several reasons.

Regards,

/Owe

Aleksandar Vidakovic · ‎02-04-2019

hi Owe,

Im not saying that IOS XR platforms can't cope with a load of forwarding some commands. :) I'm saying that this is not something that IOS XR customers were asking for, so we never implemented it.

Instead of waiting on a new feature to be developed, you could resolve this with the EEM/Tcl script that would wake up on a syslog message

RP/0/RSP0/CPU0:Jan 18 15:24:51.372 CET: config[65927]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'foo'. Use 'show configuration commit changes 1000000436' to view the changes.

then execute "show configuration commit changes 1000000436" and finally notify the central repository of this change. You can configure the script to generate the "%PARSER-5-CFGLOG_LOGGEDCMD" syslog message that I understand is picked up by your central monitoring system.

In general, our automation efforts are slated towards data-models. We recommend netconf for service provisioning.

/Aleksandar

ASR9K (IOS-XR) logging cli command