Advertisement

Powered by Squarespace
Popular Categories
Blog Posts
Discussion Activity
Cisco Live 365
« What factors drive a Cisco IOS upgrade? | Main | Cisco WLC (Wireless LAN Controller) Series - IP & VLAN Planning »
Saturday
May182013

Cisco Embedded Event Manager (EEM) Config Diff Generator

TACACS+ is the preferred method to log CLI commands at any enable level whether performing show command or making config changes.  See AAA and TACACS commands for more information.  There’s open source software if you don’t have or can’t afford Cisco ACS or similar products that can do TACACS and RADIUS.

But for a really cool and rarely used feature, you could have the switch itself run a config diff(erence) on the running-config and startup-config and email the changes or deltas to you!  Code snippet here.

Here’s how I have 4510R switches configured to email config changes automatically.  This uses the Cisco IOS® Embedded Event Manager (EEM) to do the work.

First, some common settings for the mail-server, from, and to addresses.

event manager environment _email_server 192.0.2.1
event manager environment _email_from netops@example.com
event manager environment _email_to netops@example.com

Then, the actual applet to do the diff.  This is fairly self-explanatory.  After exiting config, a log event is generated and the event manager applet is triggered.  Action 1.2 is the most interesting as it provides the command to show the diff.

event manager applet config_diff_email authorization bypass
  event syslog pattern “.*%SYS-5-CONFIG.*”
  action 1.0 info type routername
  action 1.1 cli command “enable”
  action 1.2 cli command “show archive config diff nvram:/startup-config system:/running-config”
  action 1.3 mail server “$_email_server” to “$_email_to” from “$_email_from” subject “Config Change Alert ($_info_routername)” body “$_cli_result”
  action 1.4 syslog msg “Config Change Alert emailed”

Note that even going into config and not making changes still triggers the diff email.  And another downside with this is a CPU spike that happens for about 10 seconds while it runs, but this shouldn’t impact the forwarding path.

Code snippet here.

20130518.1

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Textile formatting is allowed.