RE: [Activity logging & archiving tool]

Murphy_Brennan · November 25, 2003, 8:58pm

Or Ciscoworks. A config change sends a syslog event to CW which in
turn knows to go grab the latest copy of the config. I believe
there are some reporting capabilities too, simple diff routines and
archives
of past configs.

I think CW is more of the CVS-like approach whereas ACS is sort of a
simple logging method.

Scott_C_McGrath · November 25, 2003, 9:38pm

CiscoWorks also polls the devices for configuration changes and generates
a diff if you so desire. If you have set up AAA you will have an audit
log of when changes were applied and who applied them.

Scott C. McGrath

Christopher_L_Morrow · November 25, 2003, 9:51pm

I'm fairly certain that the tacacs standard implementations available on
the cisco routers log out changes to the config made by users... That and
a little log parsing magic and you have this data also. Be cautious that
some of the EMS systems will grab configs through snmp WRITE initiated
tftp writes, this could be dangerous if your routers are publicly
accessible

-Chris

Terry_Baranski · November 26, 2003, 3:03am

I'm fairly certain that the tacacs standard implementations
available on the cisco routers log out changes to the config
made by users... That and a little log parsing magic and you
have this data also.

While we're being Cisco-centric, 12.3(4)T has a new feature by which the
router can keep a configuration audit log:

guide09186a00801d1e81.html

-Terry

Alexei_Roudnev · November 26, 2003, 6:31am

This is not dngerous - I do not expect any idiot, opening SNMP from outside
(SNMP is excellent protocol, which can crash ANY device in the world; I
crashed 6509 switch and PIX firewall in a few days, when debugged new
'snmpstat' system). And moreover, Cisco allows o lock IP and file name for
SNMP/TFTP.

On the other hand, using 'expect' is not difficult and is much more
flexible. Most problems are with PIX-es with their paranoya, which cause a
nececity to know enable password for any simple action...

I'll send my old expect script here tomorrow, if someone want (it is not
big). New script uses cryptography to remember a passwords, so it became
more secure, but idea is the same...

Alexei_Roudnev · November 26, 2003, 6:34am

It is excellent, but _too late. Such features are useless, if you do not
have them on all devices, and no one can update all network gear to this new
version at once. So, it will be useful in 2 - 3 years -:).