Using RME baseline templates to find non-compliant SNMP strings

Similar Messages

• RME Baseline Templates compliance and deploy regular expression

  Hi:
  I have a large number of 3750 stacks consisting of a variable amount  , from 1 to 6, switches. I need to add to all
  FastEthernet interfaces from 2/0/1 to n/0/24 a command , under the interface. That is on the 1st and if only one switch do nothing, and for all other switches, be it 2 or 3 etc switches under each interface add a one line command.
  I  have not found the correct syntax to have only the interfaces I need to be effected. For example:
  interface [#FastEthernet.*#]   picks all interfaces including the ones on the 1st switch which I don't want to change.
  Interface [#fastEthernet[2-9].*#]  ignores all interfaces.
  I have tried various forms of syntax for the regular expression   but either hit all interface or none.
  Does anyone know how to format the request properly.
  Thanks in advance
  Mickey

  This regexp should work:
  interface [#FastEthernet(1[0-9]+|[2-9][0-9]*)/.*#]

• How to find routers with multiple bgp neighbors using baseline templates?

  Running LMS 4.1 5k on Windows
  We have around 400 routers on a MPLS network. Only few of these have more than one BGP neighbor. We need to enable some bgp traps so we know when a bgp neighbor is down. How would I write a baseline template to check if a router has more than one bgp neighbor?
  basically I want to know if a router has more than one statement of the following kind:
  router bgp xxxxx
  neighbor x.x.x.x remote-as xxxxx   <-- 1st neighbor
  neighbor y.y.y.y remote-as yyyyy    <-- 2nd neighbor

  Yes, it looks like the bug I mentioned previously.  The bug has nothing to do with RME.  You can use RME or not, and this bug will still be triggered.  While an upgrade is recommended, the Release notes detail a workaround:
  The 1711 router gives traceback when we process an snmpwalk at OID
  "cInetIcmpMsgOutPkts" (1.3.6.1.4.1.9.10.86.1.3.2.1.6) from CISCO-IETF-IP-MIB or
  when ciscoDslCpeMIB is queried (1.3.6.1.4.1.9.20.1.1).
  12.2(15) works well
  12.3(8)T4 and 12.0(3)T are giving this problem.
  Didn4t find a similar problem reported to this one.
  Workaround:
  The problem lies in CISCO-DSL-CPE-MIB, so if you don't need this mib you can
  exclude it from the default or created snmp view, thereby preventing the
  traceback. Here is an example of 1) changing default view and 2) creating a new
  view.
  -- change the default snmp view to exclude CISCO-DSL-CPE-MIB
  conf term
  snmp-server view v1default ciscoDslCpeMIB excluded
  end
  show snmp view
  -- create a new snmp view that excludes CISCO-DSL-CPE-MIB
  conf term
  no snmp-server view nodslmib
  snmp-server view nodslmib iso included
  snmp-server view nodslmib internet.6.3.15 excluded
  snmp-server view nodslmib internet.6.3.16 excluded
  snmp-server view nodslmib internet.6.3.18 excluded
  snmp-server view nodslmib ciscoMgmt.252 excluded
  snmp-server view nodslmib ciscoDslCpeMIB excluded
  no snmp-server community public
  snmp-server community public view nodslmib ro
  end
  show snmp view

• LMS 4.0 Prequisites of baseline templates are ignored if used for direct deploy

  Hi all,
  I'm want to use baseline templates for conditionally configuring several hundert access-switches.
  What I expect to work:
  Write a baseline template with prerequisites and parameters and use
  Configuration> Compliance> Compliance Templates> Direct Deploy
  The baseline template works perfect for
  Configuration> Compliance> Compliance Templates> Compliance Check
  if I use regex instead of parameters
  - compliant devices are detected
  - commands are generated only for non compliant devices
  But I don't want to enter several hundert parameters manually if
  I want to deploy the job after compliance chek...
  If I change the regex into a parameter then direct deploy will unconditionally
  generate the commands, regardless whether the prerequisites are met or not.
  Is this by design or a bug?
  My task is simple:
  If interface Vlan1 has an IP address matching a certain pattern I want to deploy the global command
  ip default gateway [same-prefix-as-interface-vlan1].1
  Like I mentioned above: the regexes are OK: compliance check works as expected
  When the regexes are changed to a parameter the command ip default-gateway will
  always be generated regardles wether the prequisite is met or not.
  Any thoughts or insight?
  Regards, MiKa

  Solution was simple:
  In one of the old release notes (Cisco Ressource Manager Essentials, around 2009) I found a note that prerequisites in templates are not supported with direct deploy. There are no notes for newer releases but the behaviour is exactly like described.
  Another documentation error...
  Rgds, MiKa

• What is "Remediate non Compliant Rule when supported" and how to use it ?

  Hi, 
  now i have created around 10 baselines for the driver compliance check for different make and model of laptops and desktops, the os platform on the computer will be Win 7 X 64 computers 
  CI's working fine and iam curious to learn what is the  ( Remediate non Compliant Rule when supported ) option actually ment for , what all we can use it for ?
  and i need a example with complete steps too please
  all i can understand from the word Remediate is that it will either run a query or initiate a process such as install the correct version of driver etc , please correct me if iam wrong
  Thank you
  OSLM ENGINEER - SCCM 2007 & 2012

  When creating a CI you can also configure a remediation script, that script will be used to remediate a non-compliant system. Also, some simple things like change the value of an existing registry key from 0 to 1 are supported out-of-the-box for compliance
  and remediation.
  An example:
  http://www.petervanderwoude.nl/post/allow-direct-installation-of-windows-8-apps-via-compliance-settings-in-configmgr-2012/
  Another example:
  http://www.petervanderwoude.nl/post/go-to-desktop-on-sign-in-on-windows-8-1-via-compliance-settings-in-configmgr-2012/
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• I'm using a card template and trying to find what Avery product I should get to print the card on

  I using a Pages greeting card template and trying to find out what Avery product I should buy to print it on. Where is this infromation?

  The Avery web site has the layouts of its products and also ms Word tempaltes that open in Pages.
  If you wish to use the Pages' templates select the overall rectangle of the card:
  Inspector > Metrics
  To find out the size and then look for the matching Avery stock, you will probably have to adjust bot the size and position for a close match.
  However since greeting cards are just rectangles folded in half all you need to do is print them on card stock with some crop marks offset from the corners and cut them out with a sharp knife or a guillotine. Not rocket science.
  Peter

• Baseline template

  Hello,
  I have a question about "baseline template"
  I try know to find if some interfaces don't have OSPF key.
  I create my basic template like this for find all the interface fastEthernet begins with 0/2/ who don't shut :
  Conditional Block
       sub mode
  interface [#FastEthernet0/2/*#]
       CLI commands
  - shutdown
  Compliance Block (Use the Submode of above condition is checked)
       CLI commands
  + ip ospf message-digest-key [#*#]
  and like this it doesn't works...
  so I wonder how does works "stars *", "sharps #" ect ect ...
  I try this because in the manual guide they use this, but I think I don't use them properly
  thank you for answering me

  So I've tried :
  + ip ospf message-digest-key [KEY]
  and also
  + ip ospf message-digest-key 1 md5 [KEY]
  apparently it doesn't works.
  in response "RME say" to me 0 of 56 are compliant
  it say, I should add in all interface the line "ip ospf message-digest-key ...". it's curious because the most of it have the line :/.
  thank you for the link, I will study it.

• Baseline Template Query LMS 4.2 - IP address

  Does anyone know how to create a baseline template that would validate a configuration to ensure that it only has 1 IP address terminating on it?  The IP address may terminate on an SVI or an interface, but must only have the 1 IP address on the device
  Any information or suggestion would be appreciated.

  Hi Afroz,
  Thanks for the link however I was unable to find any information that would help me with my query.
  Here's the issue. Multilayer switches can have multiple IP interfaces on them and on certain devices on our network, I want to ensure that there is only 1 IP interface. So, if the device only has 1 IP interface, the configuration is compliant. If the device has multiple IP interfaces, the configuration is non-compliant.
  The other factor that would complicate things is that on some devices, the IP interface would be an SVI while on others the IP interface would be on an Ethernet port.
  I hope this helps clarify my query.
  Thanks,
  H

• LMS 3.1 Baseline Template Fails

  NEED HELP! :-)
  I made a baseline template that basicaly says: If you encounter an interface with a vlan24, apply a port-security mac-address sticky command. TEMPLATE FOLLOWS:
  In Conditional Block's SUBMODE:
  interface [#.*Ethernet.*#]
  CLI Command (of conditional block is):
  + switchport access vlan [#(24)#]
  Use the SubMode of above condition (yes)
  CLI Command:
  + switchport port-security mac-address sticky
  UNFORTUNATELY, THE MESSAGE I GET AFTER THE DIRECT DEPLOY IS:
  *** Device Details for cdp-aa-sw-c02-02 ***
  Protocol ==> Unknown / Not Applicable
  Selected Protocols with order ==> SSH
  Execution Result:
  CM0150 Deploy Baseline template to PRIMARY config on device failed Cause: CM0070 Copy Config to device failed on cdp-aa-sw-c02-02 Cause: Action: Check device credentials and reachability.
  CM0100 Copy PRIMARY Running Config to PRIMARY Startup Config on device not attempted
  CM0089 Config archival successful for cdp-aa-sw-c02-02
  Do you have a clue what is wrong with this immediate job deployment??? Can you help me fix it so it applies correctly!?
  Thanx in advance,
  WANimal

  Post the job directory for this job. The directory is found under NMSROOT/files/rme/jobs/ArchiveMgmt on Windows and /var/adm/CSCOpx/files/rme/jobs/ArchiveMgmt on Solaris.

• Checking aaa configuration using LMS Baseline Compliance Checks

  Hi, I'm trying to setup a baseline configuration check for our devices that will cover both "types" of aaa accounting commands. Some devices have the commands spread over mutliple lines and some have them in single lines as per the examples below. I can't seem to make an "or" check that will cover both types. Can anyone please assist? I am using Ciscoworks 4.2.
    aaa accounting exec default
    action-type start-stop
    group tacacs+
    aaa accounting commands 0 default
    action-type start-stop
    group tacacs+
    aaa accounting commands 15 default
    action-type start-stop
    group tacacs+
    aaa accounting connection default
    action-type start-stop
    group tacacs+
  OR
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting exec default start-stop group tacacs+

  Compliance check uses the same devices as everything else in RME.  However, you need to make sure your template is configured to match the specific device types that you want to check.  When you define your baseline template, you must choose one or more device types.  Make sure you've checked all of the appropriate boxes (e.g. Routers and Switches and Hubs).

• Using the Standard Template Library with 5.0 using 4.2 compatibility mode

  Has anyone used the Standard Template Library with the 5.0 release of the complier using the -compat=4 flag ?

  It's not your system, unfortunately. It's iTunes 5.0. I have XP, a brand new drive and Nero. I can burn all sorts of CDs, just none from iTunes.
  I have gotten several emails from Apple regarding this issue, none of which helped. The last response I got said they were working on my problem. Right now, the best solution that I can come up with, although I'm not sure how to do it, is back up your songs as a data CD, uninstall 5.0 and reinstall version 4.9.
  If you go back a few days (or maybe a week) in the discussions, someone posted a link for 4.9. If you can do this and successfully install 4.9 you will have no problem burning CDs. I just haven't had any luck burning my songs as data. I have 4.9 on an older computer and can burn CDs for days. So all I have to do is get my songs to the old PC and I'll be in business.

• Devices in Deployment status show up as Non-Compliant

  In the deployment status section of SCCM 2012 we have 6 of the 10 servers listed in the In-Progress tab which are Non-compliant. 3 of the servers are list as Downloaded Updates. Verified that the boundaries are set up correctly and check relevant logs and
  no software updates are being pushed out to the servers almost an hour into the maintenance window. Not sure what the cause is, could use all the help I can get. Thanks!

  Hi,
  Is the client healthy?(CcmEval.log, ClientIDManagerStartup.log, ClientLocation.log, LocationServices.log)
  Could the client communicate with MP? Please check CcmMessaging.log and open
  http://<MP Name>/sms_mp/.sms_aut?mplist in IE on the client to see whether it can find the MP.
  Best Regards,
  Joyce

• Non-Compliant Issue

  Can anyone explain to me why the following item is considered non-compliant on this list? It states for the reason that it could not find a compatible TPM, but when you look at the details it clearly shows that it is encrypted and that TPM is the protector
  type.

  I answered my own question on this one.  It is apparently a bug in MBAM 2.5 when using AES-256 with Diffuser.  I installed Hotfix KB2975636 on the client system and it corrected in the next update without an issue. 
  If anyone else is looking for this Hotfix, here is the link.
  https://support.microsoft.com/kb/2975636?wa=wsignin1.0

• ISE 1.2 - Posture Detail Assessment - enforcement audit mode report not show status for non-compliant

  ISE 1.2 - Posture Detail Assessment - enforcement audit mode report not show status for non-compliant.
  - For old version 1.1.4 it can be reported for non-compliant, How can I generate report for this? 
  Thanks
  Kosin Usuwanthim

  It used to be in there (id 226635 is the last one with it); should I clean it up a bit and put it back with a bit more of a disclaimer?

• How can I modify column width in a spreadsheet report without using an Excel template

  I currently use the LabVIEW Report Generation toolkit in LabVIEW 2011SP1 to create simple spreadsheet reports that I can build/print without having Microsoft Office products installed.  I really like being able to do this, and it allows me to generate nice on-demand data reports - I'm also not tied to having Office installed on the system I'm using, so this works on just about any test fixture I can install the software on.  
  I recently have a requirement that I must have variable-length columns in my report.  I currently use the VI "Append Text Table to Report" in order to create a text table, but the column width requirement is that all columns must be equal width UNLESS I use an Excel Template file to define my column widths.  
  My questions are:
  Is it possible to create a text table and define per-column widths without using an Excel Template?  If so, how?  My report mainly has a lot of small numerical values for the columns, but some columns contain system names or status messages - I really hate the longer text blocks wrapping and taking up so much real-estate when if I could control the column widths I can get all my data on a single line.
  I'll admit I haven't tried this myself yet, but if I use an Excel Template will that require me to have Excel installed on the PC in order to print/generate reports?
  Is there a recommended way (with an example) of generating a text table in a report with or without using the "Append Text Table to Report" VI that allows me to have custom column widths that doesn't require me to manually build a custom print page?  If I do have to create a custom print page, what would be the most straightforward approach?
  Thanks!
  -Danny

  Sure, I'll provide a pared down example that demonstrates my use-case:
  I have a control to the VI that takes in a 2D array of strings representing the data I want printed in a table.  I am generating a standard report, adding a table to the report, and printing it.  The first VI is "New Report.vi", the second VI is "Append Table to Report.vi", and the third is "Print Report.vi", all found standard in the Report Generation palette.
  Note that the "Append Table to Report.vi" has an input parameter "Column Width" with a default value of (1).  This input parameter is a single input parameter, which defines the column widths of ALL the columns in my table - hence, with the VI the way it is, all my columns will be 1 inch wide.  
  I find myself needing to be able to define per-column widths, not just a single global column width parameter.  
  The only way I have found to do this is by using an Excel template file.  The "New Report.vi" takes in a "template" parameter, and if used, the report generation toolkit can be set to ignore the "Column Width" input parameter on the "Append Table to Report.vi" by setting the width value to -1.  Instead it will launch Excel, open the template file provided, build the table using the template, will close Excel, and will attach the generated table to the report.  However, I have a strict requirement that Microsoft Office NOT be required to be installed on the computer.  
  So, without using Excel, is there a way to generate a table in a report and define the width of each column individually?
  -Danny