How to setup Configuration Change Notification and Tracking
Have you ever found yourself troubleshooting a problem caused by a coworker or consultant mistyping a command? It happens, everyone makes mistakes, but what's frustrating is when people won't own up and admit they made the mistake. Not only is it dishonest, it can impede a fast resolution by knowing what to undo.
As a result, you might find yourself wishing there was a relatively simple way to see every command typed into every router and switch in the network... You can do this with a AAA server, but it can be cumbersome to have to scour through the logs on your ACS server. However, there is another way and it's really easy to configure.
Configuration Change Notification and Logging, or simply Configuration Logging, is Cisco's method to log every configuration command entered on your Cisco IOS routers and switches. The feature was introduced in 12.3(4)T & 12.2(25)S, so it should be available in almost any IOS device that's been upgraded in the last 5 years. It can log locally up to a specified number of lines of config, and even send the commands off to a syslog server.
The following examples are from a Cisco 3550 switch and demonstrate how to configure and monitor change logging.
To begin, first enter global configuration mode and then archive log config mode:
Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#archive Switch(config-archive)#log config Switch(config-archive-log-cfg)#
Here is the context help to see what's available in this config mode:
Switch(config-archive-log-cfg)#? commands for controlling config logging: default Set a command to its defaults exit Exit from the log config submode hidekeys suppress output (e.g. passwords) when displaying logged commands logging Modify config logging parameters no Negate a command or set its defaults notify Send logged commands to target applications record What to record in the config logger
To enable the config logging feature, type logging enable:
Switch(config-archive-log-cfg)#logging enable
The config logging is disabled by default, so without typing this no other changes will have an effect. By default, 100 commands will be logged, but this can be changed with the following command (for example 500):
Switch(config-archive-log-cfg)#logging size 500
Also by default, passwords and snmp community strings are logged in plain text. Use the following command to hide passwords:
Switch(config-archive-log-cfg)#hidekeys
After entering this command, passwords, snmp community strings, and other sensitive information will be replaced with ****asterisks****.
Finally, to have the commands shipped off to a syslog server and/or the local log buffer, use the following command:
Switch(config-archive-log-cfg)#notify syslog
The logged data is in plain text by default, but can be formatted in xml using the "notify syslog content type" option.
To summarize all those commands, here's the configuration as you would see it in a show running-config output:
archive log config logging enable logging size 500 notify syslog contenttype plaintext hidekeys
To see this feature in action, there are a couple show commands you can use. The first is the show archive log config command. This command has a couple variations to begin at a certain index number or you can use the all keyword to see everything that has been logged:
Switch#show archive log config all
idx sess user@line Logged command
1 1 unknown user@vty0 | logging enable
2 1 unknown user@vty0 | logging size 500
3 1 unknown user@vty0 | hidekeys
4 1 unknown user@vty0 | notify syslog
5 2 unknown user@vty0 |banner motd # Test Banner #
6 3 unknown user@vty0 |archive
7 3 unknown user@vty0 | log config
8 3 unknown user@vty0 | logging enable
9 3 unknown user@vty0 | exit
10 3 unknown user@vty0 | exit
11 3 unknown user@vty0 |interface lo5000
12 3 unknown user@vty0 | ip address 10.50.50.254 255.255.255.0
13 3 unknown user@vty0 | no shutdown
14 3 unknown user@vty0 | exit
15 3 unknown user@vty0 |router eigrp 5000
16 3 unknown user@vty0 | no auto-summary
17 3 unknown user@vty0 | network 10.50.50.0 0.0.0.255
18 4 unknown user@vty0 |logging 10.0.10.201
19 5 unknown user@vty0 |router ospf 44
20 5 unknown user@vty0 | no auto-cost
21 5 unknown user@vty0 | network 10.10.10.0 0.0.0.255 area 0
22 5 unknown user@vty0 | exit
23 5 unknown user@vty0 |snmp-server community *****
24 6 unknown user@vty0 |snmp-server community *****
25 6 unknown user@vty0 |username tekcert password *****
You can also see the result in the local log if you are logging to the local buffer:
*Mar 1 14:03:59.108: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:interface lo5000 *Mar 1 14:04:00.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback5000, changed state to up *Mar 1 14:04:13.008: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:ip address 10.50.50.254 255.255.255.0 *Mar 1 14:04:14.464: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no shutdown *Mar 1 14:04:16.860: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:exit *Mar 1 14:04:19.732: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:router eigrp 5000 *Mar 1 14:04:24.252: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no auto-summary *Mar 1 14:04:42.604: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:network 10.50.50.0 0.0.0.255 *Mar 1 14:04:46.432: %SYS-5-CONFIG_I: Configured from console by vty0 (10.0.20.2)
If you have a cool example of how you've used this in your company or if you have any questions, please post a comment below.
Comments
Thank you for this one, was
Thank you for this one, was looking for this kind of feature without all the hassle of setting up accounting on Cisco ACS.
We just set it up on one switch, logging to kiwi syslog and writing all config changes to a separate txt-file. Works perfectly!
very nice
but the question is if it always has time to send to syslog before a mistaken command someone made dropping its , lets say management vlan :D
or
if its reloaded i guess the things its logged are localy gone right ?
can this archive print to a local file ?
persistent logging
you can make the logging write to a file on the flash:
logging persistent url flash:/logdir
show flash:
735 Jan 26 2012 23:10:54 logdir/log_20120126-231054
and then you can use the more command to se the content of the file
more flash:/logdir/log_20120126-231054
hope it helps :)
Thanks
Many thanks for this Adam.
This clears up my question perfectly.
I have already rolled this out to one of our sites.
I have it sending syslog messages to our monitoring software which in turn sends email alerts out to the senior admin's when certain commands are entered.
Great topic
Thanks Adam,
Hi, cool config, tell me is
Hi,
cool config, tell me is this possible on ASA if so how??
very useful
Thanks for the tip.
I was wondering if this can be done on any cisco nexus switches.
I tried it on 6500s and worked. also on nexus 5k is working but I don't see an "archive" command on nexus 7k, do you happen to know any work around for that one? I prefer to have this enabled globally instead of just some switches.
I'd appreciate any tips.
Thanks
It doesn't look like they've
It doesn't look like they've moved that command over to the 7k yet. I have heard that the 5k gets features faster since it is a fixed form factor switch. Since there are various modules for the 7k, it takes a bit longer to get new features to market.
Here's a link to the master command list for Nexus 7k's running 5.x code:
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/master/...
Perhaps in the future this feature will be added.