« Configuring a Cisco Router to Accept VPN Connections | Main | Off-Topic: Cool Windows XP Utilities »

December 24, 2006

Configuration Change Tracking...Built in?!?

For years, I have been relying on outside tools to tack changes in running configurations on Cisco devices. One of my favorite (cheaper) tools has been Kiwi CatTools. However, recently, someone turned me on to the fact that this functionality is BUILT-IN to the Cisco IOS! Here's the basics:

The feature is called Configuraton Change Notification and Logging. It has been available since IOS 12.3(4)T/12.2(25)S (it has really gone mainstream in 12.4).

For each configuration command that is executed, the following information will be logged:

• The command that was executed
• The configuration mode in which the command was executed
• The name of the user that executed the command
• The time at which the command was executed
• A configuration change sequence number
• Parser return codes for the command

Pretty nice - and you can have this information stored in a local buffer or sent to a syslog server. Here's a configuration that will get you going:

Router(config)# archive
Router(config-archive)# log config (enters config logging mode)
Router(config-archive-log-config)# logging enable (turns on running config change logging)
Router(config-archive-log-config)# logging size 500 (remembers the last 500 commands entered - 100 are default)
Router(config-archive-log-config)# hidekeys (hides passwords from being shown / logged)
Router(config-archive-log-config)# notify syslog (optional - exports changes to syslog server)

Watch this: this is an example of what the logging looks like in action:

CH_NAME_RTR# show archive log config all
 idx   sess           user@line      Logged command
    1     1         jeremy@vty0     |  logging enable 
    2     1         jeremy@vty0     |  logging size 200
    3     2         jeremy@vty0     |hostname CH_NAME_RTR
    4     2         jeremy@vty0     |enable secret *****  (this is hidden because of hidekeys command)
    5     2         jeremy@vty0     |interface FastEthernet0/0 
    6     2         jeremy@vty0     | bandwidth 100000

Posted by JC at December 24, 2006 4:31 PM

Trackback Pings

TrackBack URL for this entry:
http://www.cioara.org/cgi-bin/mt-tb.cgi/117

Comments

Now THAT is cool! i didn't know that! i've been doing my entire change management, by grabbing SNMP configuration change traps, and commiting the new config file to subversion for tracking changes.

This gives me much more history! Nice post, yet again!

Aaron

Posted by: Aaron Paxson at January 7, 2007 8:15 PM

this is great to know - never seen this

One FREE tool we start using was NEDI - If you are a cisco person this is a dream of a utility. All web based on top of Linux. One of the underlying benefits is it grabs the switch/router configs from all our devices across the entire network every hour for backup. If you click on on a switch you can see the revision history of the config with changes highlighted in red.
Here's some of the screenshots if you care to peep.

http://www.nedi.ch/gallery:gallery

btw - install was easy - had me scared at first but they have it down to a automated script.

Posted by: lime at February 27, 2007 6:41 AM

Post a comment




Remember Me?

(you may use HTML tags for style)