Cisco IOS Configuration Change Logging

Cisco IOS Configuration Change Logging

If you are looking to configure your Cisco router to keep the track of all the commands run by any user, this article is pretty much for you.

The Configuration Change Logging (Configuration Log Archive) is a feature of Cisco IOS software that allows the tracking of configuration changes entered on a per-session and per-user basis. The log archive feature saves configuration logs that track each configuration command which is tun, who run the command. You can also configure to send notification of configuration changes to the software system logging (syslog) process. Syslog notifications allow monitoring of the configuration log information without performing polling and information gathering tasks.

Configuration Steps

1). Enter into enable mode using enable command.

2). Enter into global configuration mode using configure terminal command.

3). Use archive command to enter archive configuration mode.

4). Now use log config command to enter configuration change logger configuration mode.

5). Logging of configuration changes is disabled by default. To enable it, use logging enable command.

6). (Optional) Specify the maximum number of entries retained in the configuration log using logging size <value> command. The value can be any number between 1 to 1000.The default value is 100 entries.

7). (Optional) To suppress the password information from being stored into configuration log files, use hidekeys command. The hidekeys command increases security by preventing password information from being displayed in plain text format.

8). (Optional) Use notify syslog command to enable the notifications of configuration changes to a remote syslog server.

The complete configuration steps are given below:

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#archive
R1(config-archive)#log config
R1(config-archive-log-cfg)#logging enable
R1(config-archive-log-cfg)#logging size 500
R1(config-archive-log-cfg)#hidekeys
R1(config-archive-log-cfg)#notify syslog
R1(config-archive-log-cfg)#end
R1#

View Configuration Log Statistics

To display configuration log entries and to monitor the statistics of the configuration log, use show archive log config command.

R1#show archive log config ?
  <0-2147483647>  The first record number to display
  all             List all the records in the config log
  statistics      Show memory and usage statistics for the config logger
  user            List the logged commands entered by a single user

The show archive log config command gives 4 options to be used. To view a particular record number, you can enter the record number with the command. To display all the records, you can use all keyword. To display the logger statistics, you can use statistics keyword. To display the commands run by a specific user, you can use the user keyword with show archive log config command.

For demonstration purpose, I have already created two users in my Cisco router.

R1(config)#enable secret cisco
R1(config)#username admin  password cisco@123
R1(config)#username helpdesk password cisco@321
R1(config)#

Now we have two users on router. Let us consider that helpdesk user logs in to the router and make some configuration change. Lets take a look at the configuration archive log.

R1#show archive log config all
 idx   sess           user@line      Logged command
   1    2       helpdesk@console  |!exec: enable
   2    2       helpdesk@console  |interface FastEthernet0/0
   3    2       helpdesk@console  | shutdown
   4    3       admin@console     |!exec: enable

Notice that there are three commands run by helpdesk user which shows that the user entered enable command and then issued shutdown command on interface FastEthernet0/0.

To display memory usage information for the configuration, use show archive log config statistics command as shown below:

R1#show archive log config statistics
Config Log Session Info:
        Number of sessions being tracked: 1
        Memory being held: 3914 bytes
        Total memory allocated for session tracking: 3914 bytes
        Total memory freed from session tracking: 0 bytes

Config Log log-queue Info:
        Number of entries in the log-queue: 18
        Memory being held by the log-queue: 4769 bytes
        Total memory allocated for log entries: 4769 bytes
        Total memory freed from log entries: 0 bytes

Use show archive log config all provisioning command to display all configuration log files as they would appear in a configuration file rather than in tabular format.

R1#show archive log config all provisioning
archive
 log config
  logging enable
  logging size 500
  hidekeys
notify syslog
!exec: enable
interface FastEthernet0/0
shutdown
!exec: enable

Display the Configuration Difference between running-config and startup-config

You can specify any two configuration files available in IOS File System to be compared by adding each path as options to the command. For example, the “show archive config differences nvram:startup-config system:running-config” command. The order in which paths are entered determines how you interpret the output.

The output will look something like:

R1#show archive config difference system:running-config nvram:startup-config
!Contextual Config Diffs:
+no aaa new-model
interface FastEthernet0/0
 +shutdown
line con 0
 +login local
line vty 0 4
 +login
-aaa new-model
-aaa session-id common

The order in which paths are entered determines how you interpret the output.

The line with “+” sign means this command is present in the startup-config but not in the running-config.

The line with “-” sign means this command is present in the running-config but not in the startup-config.

Always remember that when you use the command without options, for instance if you use “show archive config differences” command, it is same as saying “show archive config difference system:running-config nvram:startup-config“.

Clear the Configuration Log

The entries from the configuration log can be cleared in one of two ways. The size of the configuration log can be reduced by using the logging size command, or the configuration log can be disabled and then re-enabled with the logging enable command. To clear the configuration log file, use one of the following methods:

Clearing the Configuration Log by Disabling the Configuration Log

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#archive
R1(config-archive)#log config
R1(config-archive-log-cfg)#no logging enable
R1(config-archive-log-cfg)#logging enable
R1(config-archive-log-cfg)#end
R1#

Clearing the Configuration Log by Resetting the Log Size

To clear the configuration log, reduce the log size to 1, then reset the log size to the desired value by entering the logging size command.

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#archive
R1(config-archive)#log config
R1(config-archive-log-cfg)#logging size 1

Setting the size of the configuration log to 1 results in all but the most recent entry being purged.

R1(config-archive-log-cfg)#logging size 500
R1(config-archive-log-cfg)#end
R1#

Before the introduction of this feature, the only way to determine if the Cisco software configuration had changed was to save a copy of the running and startup configurations to a local computer and do a line-by-line comparison. This comparison method can identify changes that occurred, and the person responsible for the changes.

Back



Microsoft Certified Professional | Cisco Certified Network Associate

Leave a Reply