Configuration Changes in Syslog

can I configure Cisco Routers/switches to send syslog the IOS commands that are entered on Cisco Device? My objective is to keep a record of changes that are/were made to the network devices.

Hello!
It is possible scince last 12.3T. Look in cisco.com for archive command:
archive
log config
logging enable
hidekeys
With best regards

Similar Messages

Log configuration changes to syslog on Nexus 7000?

I need to be able to log any configuration changes to syslog on our Nexus switches. On IOS this is easy with the archive commands, but I'm a little stuck trying to do this on our Nexus gear. On the IOS gear I run the commands:
archive
log config
logging enable
logging size 100
hidekeys
notify syslog
How do I do the equivalent on NX-OS?

Cisco NX-OS can log configuration change events along with the individual changes when AAA command accounting is enabled.
With command accounting enabled, all CLI commands entered, including configuration commands, are logged to the configured AAA server. Using this information, a forensic trail for configuration change events along with the individual commands entered for those changes can be recorded and reviewed.
Because of this capability, it is strongly advised that AAA command accounting be enabled and configured.
Refer to the “TACACS+ Command Accounting” section of this document for more information.
The Nexus 7000, by default keeps a local accounting log of all the configuration commands entered on the device; you can view this with the 'show accounting log' command.
In NX-OS, we changed the way logging works. We keep a local accounting log of all the
configuration changes ("show accounting log"), but if you want to send those logs to a
server, it must be done with through a TACACS server. Please see the below documentation:
Configuring AAA on Nexus
TACACS command accounting
-Thanks
Vinod
**Encourage Contributors. RATE Them.**

Can the ACE be configured for logging configuration changes to syslog server ?

Hi,
On all our routers, switches and firewalls we've configured syslog so we get logs when configuration changes occur.
Is this possible on the ACE too ?
regards,
Sebastian

Hi Sebastian,
Yes it is possible but depends upong the logging level you have set. So logging trap 5 should be able to get you the configuration changes or command execution logs.
Nov 1 2013 11:20:33 : %ACE-5-111008: User 'admin' executed the 'logging buffered 6' command.
Nov 1 2013 11:20:48 : %ACE-5-111008: User 'admin' executed the 'no rserver testlog' command.
So you should see these level 5 logs on syslog if logging trap 5 is configured.
Let me know if you have any questions.
Regards,
Kanwal

RME (LMS 3.2) No detect Change Configuration automatically by Syslog Messages

Hi,
I have a problem with the "change audit" for Syslog messages trigger. I set all my devices to send Syslog messages to the CiscoWorks server. When I make any changes to syslog message is sent correctly for the CiscoWorks server, but it does not start automatically collects configuration (config fetch).
Only when I start manually "sync archive" the configuration is stored and detected the change in configuration.
Has not changed anything in config fetch "to" Automated actions Syslog ".
Thanks

Hi,
You an check RME > Tools > Syslog > Automated Actions to verify nothing was changed.
Then display 'Config Fetch'. There is contextual help available:
http://:1741/help/rme/fundamentals/index.html?syslog_Defining_Automatd_Actions.html#wp1211314
Nick

ASA send syslog messages for configuration changes

On a router you can send configuration changes to the syslog server by doing,
conf t
archive
log config
logging enable
notify syslog
Then the router will send something like,
.Aug 3 13:12:00.776 PACIFIC: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:no interface Loopback76
if I had typed at the command line, "no int lo76"
How do you do this on the ASA?
Goal: I want to know when anybody does any kind of config on my ASA.

The syslog number 111008 and 111010 will log the command that is entered by user.
111010 is for configuration changes.
Here is the syslog for your information:
111008:
http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769400
111010:
http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769410
You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

Syslog. Include IP address of VTY in every message (configuration changes)

Hello guys,
I have discovered that Huawei has a different syslog messages format when it comes to logging configuration changes in external syslog, however if in Cisco you are using a universal login for many users, it is impossible to know what IP address logged what command..
I know, a solution would be to let every user use its own login, however, I wanted to know is there a way for a Cisco router to associate the vty of the "logged command" originator and include this information in Syslog.
Here is the example for Huawei:
%%10SHELL/5/CMD(l):-DevIP=10.219.3.2- 2 -task:vt0 ip:10.200.7.138 user:** command:display logbuffer
Cisco kind of includes the final message where is tells what was the IP address of the VTY, however, this IP address is not present in every syslog message as in Huawei.
68954: 168799: Sep 22 14:29:21.839: %PARSER-5-CFGLOG_LOGGEDCMD: User:XXXXX logged command:no logging host 10.200.100.10 transport udp port 515
68952: 168796: Sep 22 14:18:25.341: %PARSER-5-CFGLOG_LOGGEDCMD: User:XXXXX logged command:exit
68953: 168797: Sep 22 14:18:26.053: %SYS-5-CONFIG_I: Configured from console by XXXXX on vty5 (10.200.7.138)
Is it possible to do something similar in Cisco

If you have Splunk or another enterprise log reporting server you can correlate those events by building a transaction whenever you see a %SYS-5-CONFIG_I event. I have support for this in my Cisco Networks app for Splunk: https://apps.splunk.com/app/1352/ & https://apps.splunk.com/app/1467/
Have a look and see what you think.

Configuration archive after configuration change

Hello,
I'm assuming this can work with switches, routers, and controllers. I'm running PI 2.1 and am trying to get the configuration archive functionality working. I have both of these options checked under System Settings > Configuration Archive:
:: Archive configuration out-of-box
:: Archive configuration on receiving configuration change events
On the IOS device, these settings were configured for syslog/snmp:
logging buffered 100000
no logging event link-status
logging trap notifications
logging facility local6
logging source-interface Loopback0
logging <Prime IP>
snmp-server community ***** RW 13
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server host <Prime IP> version 2c *****
I do not see any syslog messages in PI under alarms/alerts and the configuration never gets archived. I haven't run tcpdump yet to determine if PI is receiving these traps but I was hoping it was something simple I was overlooking. Thanks for any assistance that can be provided.

Thank you for the reply. To answer your question, yes. Community information matches with PI credentials.
I actually did get it to work yesterday. I did original testing on a 1921 router which is still not working, but when I tried configuring the same information on some switches (3750's) it worked. I thought routers would be configured the same - are there hardware limitations to this?
I look in the built-in CLI template 'Configure Logging' in PI and it only has switches and WLCs as available devices to push out to but I don't know what to make of it.

BGP Notification received, configuration change

Hi,
We are monitoring a BGP peering flap for a fraction of seconds approximately every three days for a particular neighbor. We are seeing this behavior consistently for a Month.
Jun 10 08:55:15.566 NST: bgp[1041]: %ROUTING-BGP-5-ADJCHANGE : neighbor x.x.x.x Down - BGP Notification received, configuration change (VRF: default)
Jun 10 08:55:15.565 NST: bgp[1041]: %ROUTING-BGP-5-NBR_NSR_DISABLED_STANDBY : NSR disabled on neighbor x.x.x.x on standby due to BGP Notification received (VRF: default)
Would like to know what does the error messge indicates "BGP Notification received, configuration change"

There might be a clue in the bgp trace on the device that experienced this condition:
show bgp trace and look around the time of the notification down.
Depending on what is on the other side, I think that hte investigation is better done on that node as that was the originator of the change hence bringing the peer down.
This can be as simple as an address family add or remove, things like that. When capabilities of a peer change, they have to bring down the peering since they are only sent in the OPEN message.
IF it is very periodic, I would also verify and check what might be happening during those time windows, especially on the peer. Maybe there is a config script that could induce things.
If that peer is an XR device, the bgp trace will be very helpful in that regard.
If itis an IOS device, then maybe you need to keep running some debug bgp event for around the time that you expect this flap, and a syslog analysis (sh log) around that time for clues.
xander

Cisco ASA configuration changed messages

Hi Team,
What are the configuration changed messages except 111008 message id for Cisco ASA.Any syslog message is there which shows who and what has been changed?
Regards,
Shalendra

Hi,
Yes , these are the ones that are going to show you all the information about the user changes on the ASA device.
You can also use AAA Accounting , User Identity firewall etc on the ASA device for the same.
Thanks and Regards,
Vibhor Amrodia

Help me configure Change request management !!!

Dear friends,
I am Going to Configure Change request Management, so just to ensure that the configuration is not erronous, i would need Expert advise..
Just want to know Clear few things before i proceed..
I am also refering SPRO and related notes
Scenario :
I have two SYSTEMS SAP ECC 6.0 with System id R03 and Soluiton manager with SYSTEM id SOL,
R03 has 3 clients, 300 600 700..
In R03 300 is the development client, 600 is quality client, 700 is the production client.
SOL has 2 clients, 100, 200
With 200 as the production client.
Q.1) Do i have to configure CHARM in both the client (100 and 200 of SOLMAN).
Q.2) Initially I had tried to set CHARM in client 100 of solman, but later on realized that it has to be set up in client 200.
When i logon to client 200 and Execute IMG activity Spro-> sap soltion manger->basic settings-> sap solution manager system->activate integration with change request management.
Then by default it take the previous client ( client 100) as the change request management client.
( as we know there are three steps in the above activity ), the other activity are executed properly, only prblem being that the default client is always set to 100, which should not be the case).
I do get the prompt saying ( "The change request clent is set to clent 100, do u want to change to client 200, on clicking yes, still it is always set the same client 100 as charm client ")
Plz let me know what do i do to set the change request client to 200??
Q.3) Regarding TMS, we have local domain controller in solman and local domain in R3.
We are planing to establish domain links between the two systems( ie both the domain controllers) ??
Is this the right strategy ??
Any other method that u can recommend ??
Q.4)One of the IMG activity says, Generate Destinations to client 000 of all the domain controllers..
Whenever i do this these, destinations are created with errors, i am not able to create trusted RFC destinations without errors.
When i logon to satellite domain controler and excecute sm59 there are 2 destinations created Trusted and BACK.
These destinations works well,
but when i logon to Solman, got to sm59 , when i test the TMW and TRUSTED rfc destinations i test these destinations using Remote Logon i get error,
" no authorization to logon as trusted system"
I went thru one note which recomended Kernel upgrades to solve the problem,
I r3 my kernel relaese is 700 with patch level 56, the note recomends to apply patch 80, did u have these problems??
what is your kernel patch levels in sateliite and solman systems.
Q.5) TO be able to raise tickets from R3 to solman we create RFC destinations.
We also create RFC destinations to client 000 of all the sateliite system,
dont u think these RFC destinations might interfere with each other??
Q.6) Is there anyone who has successfully configured CHARM. Can you plz share the configuration documents with me..
Please note :
All the contributors would be handesomely rewarded with points .

Hi,
Check this
Note 128447 - Trusted/Trusting Systems
For your Q4.
Q3.)
Establishing Domain link - That's the right way. Go ahead.
These are the steps.
1.Define Transport Routes for System Landscape
assign exactly one development system to a production system, and that these two systems are connected by exactly one unique transport track. If a development system and a production system are connected by more than one transport track, this may lead to inconsistencies within the transport distribution. This type of transport configuration cannot be supported by Change Request Management, and may cause inconsistencies within the tools involved.
2. Activate Extended Transport Control
The CTC parameter should be '1'
3.Configure Transport Strategy
Deactivate the QA Approval.
4. Activate Trusted Services.
5.Activate Domain Links.
You have to activate domain link between systems.
6. Generate RFC Destinations to Client 000
Hope this helps.
feel free to revert back.
--Ragu

Logging CRS configuration changes

Hallo,
in a 10.1 RAC environment,
is there a file which logs CRS configuration changes, like issuing a oifcfg -setif command?
Thx

Yes

Configuration issue of syslog.conf

Dear All,
My client is facing a configuration issue of syslog.conf.
They have set a cacti on a Linux server for monitoring of all servers snmp & syslog.
The part of snmp has set up successfully but cannot send the syslog to the cacti.
My client want the syslog can keep on the localhost and send to cacti for monitoring
we have tried to do the following things for make it work:
Insert the information (*.* @10.251.99.74) in /etc/syslog.conf
Restart service of system-log
Deleted all word of loghost in the /etc/hosts file
But still not work. Anyone can give me suggestion or idea about this?

Thank you for your reply.
It is tab. But I think the problem is solaris cannot use *.* to represent all logs.
I have used the following is work
*.err;ker.debug;daemon.notice;mail.crit @10.251.99.74
If that is not the mail reason, please put me right.

Anyone Seen this Message Before "Configuration changes for domain saved to the repository."

I'm running into this situation where one of my WLS servers is generating the following
messages "Configuration changes for domain saved to the repository." This process
of saving to a repository is causing an issue on start-up. Typically my deployments
take 2-3 minutes on start-up. They are now taking 10 minutes. I've made no changes
to my application. I've been able to identify that this process of saving to a
repository is the main issue of contention....
Anyone know what the message means? Anyone know how to disable this message?

This is just WebLogic writing back changes to config.xml, which it does from time
to time for reasons like:
- your app deployment has changed.
- you've reconfigured something in the console.
etc...
WebLogic just spins this off into a handy execute thread, so it would be surprising
if this was causing your app deployment to slow down (how do you know it is).
In my experience, slower than normal app deployments are usually down to:
- waiting for database connections.
- waiting for connecitons to other external resources.
Remember (in WLS6.x anyway) initialisation is done serially on the main thread,
so if something's slow, everything gets blocked behind it.
simon.
I'm running into this situation where one of my WLS servers is generatingthe following
messages "Configuration changes for domain saved to the repository."This process
of saving to a repository is causing an issue on start-up. Typicallymy deployments
take 2-3 minutes on start-up. They are now taking 10 minutes. I'vemade no changes
to my application. I've been able to identify that this process ofsaving to a
repository is the main issue of contention....
Anyone know what the message means? Anyone know how to disable thismessage?

How to prevent BGP code 6 (Cease) subcode 6 (Other Configuration Change)

Can anyone tell How to prevent BGP code 6 (Cease) subcode 6 (Other Configuration Change) ?
We are facing frequent problem with this error. Please suggest how to stop this....
Note :- We are using BGP VPN between this peers.
Logs :
Date/Time : 2015-04-30 00:49:40+05:30
State : Up
Date/Time : 2015-04-30 00:39:05+05:30
State : Down
Error Code : 6(CEASE)
Error Subcode : 6(Other Configuration Change)
Notification : Send Notification
Date/Time : 2015-04-29 18:22:11+05:30
State : Up
Date/Time : 2015-04-29 18:21:39+05:30
State : Down
Error Code : 6(CEASE)
Error Subcode : 6(Other Configuration Change)
Notification : Send Notification

on the same dates you mean the same request are posted in IT2001? ie both full days?
Please clarify
usually the Time collision checks are followed only via posting using report rptarqpost and not while applying through portal in ESS
This is very strange you indicate
SO you need to check the basic tables first
You may need to check the collision.
Collisions Tables V_T554Y and V_554Y_B reaction indicators.
and V_T508A
able T582A set to time constraint of "Z
In backend Pa30 collision works like this
1) the logical collision, checks if there is an overlap in the validity
interval of the IT´s (begda, endda).
2) the physical collision, checks if there is an overlap in the time
interval of the IT's.
In the logical collision it is checked if there is an overlap in the
validity interval if at least one of the records is a full-day
( that is the case when you enter a Daily Work Schedule (DWS) )
So when one of the records has a DWS it is considered to be a full day
record and the logical collision is taken into consideration.
If instead you enter the only the time interval manually the records
are considered to be partial-day and the physical collision is
performed. In that case only the time interval is important.
So if the clock times are not entered the physical collision can not
take place.
The collision functionality is always based on clock times and dates,
never on the total nr of hours.
Edited by: Siddharth Rajora on Sep 21, 2011 4:57 PM

X121e bios loop : "configuration changed - restart the system"

After changing some settings in BIOS i got stuck in a reboot - loop.
* Cannot access the BIOS any more - pressing F1 changes the message to "Entering BIOS Setup Utility" followed by the message "configuration changed - restart the system"
* F12 changes the message to "Preparing Boot Device List" followed by "configuration changed - restart the system" and the system reboots again.
* Tried to remove the battery, pressing the power button for 10-15 sec. and reboot with AC Adapter connected
* Tried to remove the battery and unplug the bios battery for 3 days the reset the bios - doesn't work
* Tried to boot via USB (BIOS update, FreeDOS with BIOS update, Ubuntu-Live-USB) - nothing worked .. didn't change the boot-order - i always prefer USB boot
* Removing hard-disk produces the message "no operating system found"
Are there any tricks for resetting the BIOS to defaults, flashing BIOS without booting from USB?
see
* http://forums.lenovo.com/t5/ThinkPad-Edge-S-series/E-325-bios-settings-changed-keeps-rebooting/td-p/...
* http://forums.lenovo.com/t5/X-Serie-ThinkPad-Notebooks-inkl/x121e-Configuration-changed-Restart-Syst...
- there are several people with this issue ...

In service center they said that motherboard is glitchy and needs replacement.
So it was a hardware fault.

Configuration Changes in Syslog

Similar Messages

Maybe you are looking for