RE: [Activity logging & archiving tool]
Or Ciscoworks. A config change sends a syslog event to CW which in turn knows to go grab the latest copy of the config. I believe there are some reporting capabilities too, simple diff routines and archives of past configs. I think CW is more of the CVS-like approach whereas ACS is sort of a simple logging method. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Dan Lockwood Sent: Tuesday, November 25, 2003 3:54 PM To: joshua sahala; Priyantha; nanog@nanog.org Subject: RE: [Activity logging & archiving tool] If you are in a Cisco shop you might consider Secure ACS. We use ACS to log all of our changes and have very good success with it. Unfortunately it is not free. Dan -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of joshua sahala Sent: Tuesday, November 25, 2003 11:45 AM To: Priyantha; nanog@nanog.org Subject: Re: [Activity logging & archiving tool] "Priyantha" <priyantha@wightman.ca> wrote:
In my company, there are several technical guys make changes to the existing network and it's very difficult to keep track of what we did when, etc.
i feel your pain - except when it was happening, they weren't as technical as they thought they were...
I'm looking for a simple tool, in which each and every one has to manually record whatever (s)he has done or any incident (s)he observed so that the tool archives that data someway. Later, in case if someone needs, (s)he should be able to search for that archive by date, by person, by a random phrase, etc.
rancid (http://www.shrubbery.net/rancid) and cvs-web (http://stud.fh-heilbronn.de/~zeller/cgi/cvsweb.cgi/) rancid does nice proactive checking of device configs, and cvs-web is a pretty front end to look through change history for tracking: request tracker (http://www.bestpractical.com/rt/) - it is a ticketing system, but you could probably customize it to fit your needs netoffice (http://sourceforge.net/projects/netoffice/) - haven't used it personally, but it looks like it might work too track+ (http://sourceforge.net/projects/trackplus/) - same as netoffice of course, nothing will work unless everyone uses it, so you have to have clear, concise policies for change management, and then enforce them. hth /joshua
Any help in this regard is appreciated,
Priyantha Pushpa Kumara --------------------------------------- Manager - Data Services Wightman Internet Ltd. Clifford, ON N0G 1M0 Fax: 519-327-8010
"Walk with me through the Universe, And along the way see how all of us are Connected. Feast the eyes of your Soul, On the Love that abounds. In all places at once, seemingly endless, Like your own existence." - Stephen Hawking -
CiscoWorks also polls the devices for configuration changes and generates a diff if you so desire. If you have set up AAA you will have an audit log of when changes were applied and who applied them. Scott C. McGrath On Tue, 25 Nov 2003 Brennan_Murphy@NAI.com wrote:
Or Ciscoworks. A config change sends a syslog event to CW which in turn knows to go grab the latest copy of the config. I believe there are some reporting capabilities too, simple diff routines and archives of past configs.
I think CW is more of the CVS-like approach whereas ACS is sort of a simple logging method.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Dan Lockwood Sent: Tuesday, November 25, 2003 3:54 PM To: joshua sahala; Priyantha; nanog@nanog.org Subject: RE: [Activity logging & archiving tool]
If you are in a Cisco shop you might consider Secure ACS. We use ACS to log all of our changes and have very good success with it. Unfortunately it is not free.
Dan
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of joshua sahala Sent: Tuesday, November 25, 2003 11:45 AM To: Priyantha; nanog@nanog.org Subject: Re: [Activity logging & archiving tool]
"Priyantha" <priyantha@wightman.ca> wrote:
In my company, there are several technical guys make changes to the existing network and it's very difficult to keep track of what we did when, etc.
i feel your pain - except when it was happening, they weren't as technical as they thought they were...
I'm looking for a simple tool, in which each and every one has to manually record whatever (s)he has done or any incident (s)he observed so that the tool archives that data someway. Later, in case if someone needs, (s)he should be able to search for that archive by date, by person, by a random phrase, etc.
rancid (http://www.shrubbery.net/rancid) and cvs-web (http://stud.fh-heilbronn.de/~zeller/cgi/cvsweb.cgi/)
rancid does nice proactive checking of device configs, and cvs-web is a pretty front end to look through change history
for tracking: request tracker (http://www.bestpractical.com/rt/) - it is a ticketing system, but you could probably customize it to fit your needs
netoffice (http://sourceforge.net/projects/netoffice/) - haven't used it personally, but it looks like it might work too
track+ (http://sourceforge.net/projects/trackplus/) - same as netoffice
of course, nothing will work unless everyone uses it, so you have to have clear, concise policies for change management, and then enforce them.
hth
/joshua
Any help in this regard is appreciated,
Priyantha Pushpa Kumara --------------------------------------- Manager - Data Services Wightman Internet Ltd. Clifford, ON N0G 1M0 Fax: 519-327-8010
"Walk with me through the Universe, And along the way see how all of us are Connected. Feast the eyes of your Soul, On the Love that abounds. In all places at once, seemingly endless, Like your own existence." - Stephen Hawking -
On Tue, 25 Nov 2003, Scott McGrath wrote:
CiscoWorks also polls the devices for configuration changes and generates a diff if you so desire. If you have set up AAA you will have an audit log of when changes were applied and who applied them.
Scott C. McGrath
I'm fairly certain that the tacacs standard implementations available on the cisco routers log out changes to the config made by users... That and a little log parsing magic and you have this data also. Be cautious that some of the EMS systems will grab configs through snmp WRITE initiated tftp writes, this could be dangerous if your routers are publicly accessible :) -Chris
I'm fairly certain that the tacacs standard implementations available on the cisco routers log out changes to the config made by users... That and a little log parsing magic and you have this data also.
While we're being Cisco-centric, 12.3(4)T has a new feature by which the router can keep a configuration audit log: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_ guide09186a00801d1e81.html -Terry
It is excellent, but _too late. Such features are useless, if you do not have them on all devices, and no one can update all network gear to this new version at once. So, it will be useful in 2 - 3 years -:). ----- Original Message ----- From: "Terry Baranski" <tbaranski@mail.com> To: "'Christopher L. Morrow'" <chris@UU.NET>; "'Scott McGrath'" <mcgrath@fas.harvard.edu> Cc: <nanog@merit.edu> Sent: Tuesday, November 25, 2003 7:03 PM Subject: RE: [Activity logging & archiving tool]
I'm fairly certain that the tacacs standard implementations available on the cisco routers log out changes to the config made by users... That and a little log parsing magic and you have this data also.
While we're being Cisco-centric, 12.3(4)T has a new feature by which the router can keep a configuration audit log: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_ guide09186a00801d1e81.html
-Terry
This is not dngerous - I do not expect any idiot, opening SNMP from outside (SNMP is excellent protocol, which can crash ANY device in the world; I crashed 6509 switch and PIX firewall in a few days, when debugged new 'snmpstat' system). And moreover, Cisco allows o lock IP and file name for SNMP/TFTP. On the other hand, using 'expect' is not difficult and is much more flexible. Most problems are with PIX-es with their paranoya, which cause a nececity to know enable password for any simple action... I'll send my old expect script here tomorrow, if someone want (it is not big). New script uses cryptography to remember a passwords, so it became more secure, but idea is the same... ----- Original Message ----- From: "Christopher L. Morrow" <chris@UU.NET> To: "Scott McGrath" <mcgrath@fas.harvard.edu> Cc: <nanog@merit.edu> Sent: Tuesday, November 25, 2003 1:51 PM Subject: RE: [Activity logging & archiving tool]
On Tue, 25 Nov 2003, Scott McGrath wrote:
CiscoWorks also polls the devices for configuration changes and
generates
a diff if you so desire. If you have set up AAA you will have an audit log of when changes were applied and who applied them.
Scott C. McGrath
I'm fairly certain that the tacacs standard implementations available on the cisco routers log out changes to the config made by users... That and a little log parsing magic and you have this data also. Be cautious that some of the EMS systems will grab configs through snmp WRITE initiated tftp writes, this could be dangerous if your routers are publicly accessible :)
-Chris
participants (5)
-
Alexei Roudnev
-
Brennan_Murphy@NAI.com
-
Christopher L. Morrow
-
Scott McGrath
-
Terry Baranski