Skip to Content

How to setup Configuration Change Notification and Tracking

Have you ever found yourself troubleshooting a problem caused by a coworker or consultant mistyping a command? It happens, everyone makes mistakes, but what's frustrating is when people won't own up and admit they made the mistake. Not only is it dishonest, it can impede a fast resolution by knowing what to undo.

As a result, you might find yourself wishing there was a relatively simple way to see every command typed into every router and switch in the network... You can do this with a AAA server, but it can be cumbersome to have to scour through the logs on your ACS server. However, there is another way and it's really easy to configure.

Configuration Change Notification and Logging, or simply Configuration Logging, is Cisco's method to log every configuration command entered on your Cisco IOS routers and switches. The feature was introduced in 12.3(4)T & 12.2(25)S, so it should be available in almost any IOS device that's been upgraded in the last 5 years. It can log locally up to a specified number of lines of config, and even send the commands off to a syslog server.

The following examples are from a Cisco 3550 switch and demonstrate how to configure and monitor change logging.

To begin, first enter global configuration mode and then archive log config mode:

Switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#archive
Switch(config-archive)#log config
Switch(config-archive-log-cfg)#

Here is the context help to see what's available in this config mode:

Switch(config-archive-log-cfg)#?
commands for controlling config logging:
  default   Set a command to its defaults
  exit      Exit from the log config submode
  hidekeys  suppress output (e.g. passwords) when displaying logged commands
  logging   Modify config logging parameters
  no        Negate a command or set its defaults
  notify    Send logged commands to target applications
  record    What to record in the config logger

To enable the config logging feature, type logging enable:

Switch(config-archive-log-cfg)#logging enable 

The config logging is disabled by default, so without typing this no other changes will have an effect. By default, 100 commands will be logged, but this can be changed with the following command (for example 500):

Switch(config-archive-log-cfg)#logging size 500

Also by default, passwords and snmp community strings are logged in plain text. Use the following command to hide passwords:

Switch(config-archive-log-cfg)#hidekeys 

After entering this command, passwords, snmp community strings, and other sensitive information will be replaced with ****asterisks****.

Finally, to have the commands shipped off to a syslog server and/or the local log buffer, use the following command:

Switch(config-archive-log-cfg)#notify syslog

The logged data is in plain text by default, but can be formatted in xml using the "notify syslog content type" option.

To summarize all those commands, here's the configuration as you would see it in a show running-config output:

archive
 log config
  logging enable
  logging size 500
  notify syslog contenttype plaintext
  hidekeys

To see this feature in action, there are a couple show commands you can use. The first is the show archive log config command. This command has a couple variations to begin at a certain index number or you can use the all keyword to see everything that has been logged:

Switch#show archive log config all
 idx   sess           user@line      Logged command
    1     1   unknown user@vty0     |  logging enable
    2     1   unknown user@vty0     |  logging size 500
    3     1   unknown user@vty0     |  hidekeys
    4     1   unknown user@vty0     |  notify syslog
    5     2   unknown user@vty0     |banner motd # Test Banner #
    6     3   unknown user@vty0     |archive
    7     3   unknown user@vty0     | log config
    8     3   unknown user@vty0     |  logging enable
    9     3   unknown user@vty0     |  exit
   10     3   unknown user@vty0     |   exit
   11     3   unknown user@vty0     |interface lo5000
   12     3   unknown user@vty0     | ip address 10.50.50.254 255.255.255.0
   13     3   unknown user@vty0     | no shutdown
   14     3   unknown user@vty0     | exit
   15     3   unknown user@vty0     |router eigrp 5000
   16     3   unknown user@vty0     | no auto-summary
   17     3   unknown user@vty0     | network 10.50.50.0 0.0.0.255
   18     4   unknown user@vty0     |logging 10.0.10.201
   19     5   unknown user@vty0     |router ospf 44
   20     5   unknown user@vty0     | no auto-cost
   21     5   unknown user@vty0     | network 10.10.10.0 0.0.0.255 area 0
   22     5   unknown user@vty0     | exit
   23     5   unknown user@vty0     |snmp-server community *****
   24     6   unknown user@vty0     |snmp-server community *****
   25     6   unknown user@vty0     |username tekcert password *****

You can also see the result in the local log if you are logging to the local buffer:

*Mar  1 14:03:59.108: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:interface lo5000
*Mar  1 14:04:00.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback5000, changed state to up
*Mar  1 14:04:13.008: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:ip address 10.50.50.254 255.255.255.0
*Mar  1 14:04:14.464: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:no shutdown
*Mar  1 14:04:16.860: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:exit
*Mar  1 14:04:19.732: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:router eigrp 5000
*Mar  1 14:04:24.252: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:no auto-summary
*Mar  1 14:04:42.604: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:network 10.50.50.0 0.0.0.255
*Mar  1 14:04:46.432: %SYS-5-CONFIG_I: Configured from console by vty0 (10.0.20.2)

If you have a cool example of how you've used this in your company or if you have any questions, please post a comment below.

Your rating: None Average: 4.8 (11 votes)

Comments

Thank you for this one, was

Thank you for this one, was looking for this kind of feature without all the hassle of setting up accounting on Cisco ACS.

We just set it up on one switch, logging to kiwi syslog and writing all config changes to a separate txt-file. Works perfectly!

very nice

but the question is if it always has time to send to syslog before a mistaken command someone made dropping its , lets say management vlan :D

or

if its reloaded i guess the things its logged are localy gone right ?
can this archive print to a local file ?

persistent logging

you can make the logging write to a file on the flash:


logging persistent url flash:/logdir
show flash:
735 Jan 26 2012 23:10:54 logdir/log_20120126-231054

and then you can use the more command to se the content of the file

more flash:/logdir/log_20120126-231054

hope it helps :)

Thanks

Many thanks for this Adam.

This clears up my question perfectly.

I have already rolled this out to one of our sites.

I have it sending syslog messages to our monitoring software which in turn sends email alerts out to the senior admin's when certain commands are entered.

pikas's picture

Great topic

Thanks Adam,

llmathenjwa's picture

Hi, cool config, tell me is

Hi,

cool config, tell me is this possible on ASA if so how??

very useful

Thanks for the tip.
I was wondering if this can be done on any cisco nexus switches.
I tried it on 6500s and worked. also on nexus 5k is working but I don't see an "archive" command on nexus 7k, do you happen to know any work around for that one? I prefer to have this enabled globally instead of just some switches.
I'd appreciate any tips.
Thanks

Adam's picture

It doesn't look like they've

It doesn't look like they've moved that command over to the 7k yet. I have heard that the 5k gets features faster since it is a fixed form factor switch. Since there are various modules for the 7k, it takes a bit longer to get new features to market.

Here's a link to the master command list for Nexus 7k's running 5.x code:
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/master/...

Perhaps in the future this feature will be added.



blog | by Dr. Radut