- October 26, 2015
- Posted by: Surender Kumar
- Category: Cisco Routers
Cisco IOS Configuration Change Logging
Table of Contents
If you are looking to configure your Cisco router to keep the track of all the commands run by any user, this article is pretty much for you.
The Configuration Change Logging (Configuration Log Archive) is a feature of Cisco IOS software that allows the tracking of configuration changes entered on a per-session and per-user basis. The log archive feature saves configuration logs that track each configuration command which is tun, who run the command. You can also configure to send notification of configuration changes to the software system logging (syslog) process. Syslog notifications allow monitoring of the configuration log information without performing polling and information gathering tasks.
Configuration Steps
1). Enter into enable mode using enable command.
2). Enter into global configuration mode using configure terminal command.
3). Use archive command to enter archive configuration mode.
4). Now use log config command to enter configuration change logger configuration mode.
5). Logging of configuration changes is disabled by default. To enable it, use logging enable command.
6). (Optional) Specify the maximum number of entries retained in the configuration log using logging size <value> command. The value can be any number between 1 to 1000.The default value is 100 entries.
7). (Optional) To suppress the password information from being stored into configuration log files, use hidekeys command. The hidekeys command increases security by preventing password information from being displayed in plain text format.
8). (Optional) Use notify syslog command to enable the notifications of configuration changes to a remote syslog server.
The complete configuration steps are given below:
R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#logging enable R1(config-archive-log-cfg)#logging size 500 R1(config-archive-log-cfg)#hidekeys R1(config-archive-log-cfg)#notify syslog R1(config-archive-log-cfg)#end R1#
View Configuration Log Statistics
To display configuration log entries and to monitor the statistics of the configuration log, use show archive log config command.
R1#show archive log config ? <0-2147483647> The first record number to display all List all the records in the config log statistics Show memory and usage statistics for the config logger user List the logged commands entered by a single user
The show archive log config command gives 4 options to be used. To view a particular record number, you can enter the record number with the command. To display all the records, you can use all keyword. To display the logger statistics, you can use statistics keyword. To display the commands run by a specific user, you can use the user keyword with show archive log config command.
For demonstration purpose, I have already created two users in my Cisco router.
R1(config)#enable secret cisco R1(config)#username admin password cisco@123 R1(config)#username helpdesk password cisco@321 R1(config)#
Now we have two users on router. Let us consider that helpdesk user logs in to the router and make some configuration change. Lets take a look at the configuration archive log.
R1#show archive log config all idx sess user@line Logged command 1 2 helpdesk@console |!exec: enable 2 2 helpdesk@console |interface FastEthernet0/0 3 2 helpdesk@console | shutdown 4 3 admin@console |!exec: enable
Notice that there are three commands run by helpdesk user which shows that the user entered enable command and then issued shutdown command on interface FastEthernet0/0.
To display memory usage information for the configuration, use show archive log config statistics command as shown below:
R1#show archive log config statistics
Config Log Session Info:
Number of sessions being tracked: 1
Memory being held: 3914 bytes
Total memory allocated for session tracking: 3914 bytes
Total memory freed from session tracking: 0 bytes
Config Log log-queue Info:
Number of entries in the log-queue: 18
Memory being held by the log-queue: 4769 bytes
Total memory allocated for log entries: 4769 bytes
Total memory freed from log entries: 0 bytes
Use show archive log config all provisioning command to display all configuration log files as they would appear in a configuration file rather than in tabular format.
R1#show archive log config all provisioning archive log config logging enable logging size 500 hidekeys notify syslog !exec: enable interface FastEthernet0/0 shutdown !exec: enable
Display the Configuration Difference between running-config and startup-config
You can specify any two configuration files available in IOS File System to be compared by adding each path as options to the command. For example, the “show archive config differences nvram:startup-config system:running-config” command. The order in which paths are entered determines how you interpret the output.
The output will look something like:
R1#show archive config difference system:running-config nvram:startup-config !Contextual Config Diffs: +no aaa new-model interface FastEthernet0/0 +shutdown line con 0 +login local line vty 0 4 +login -aaa new-model -aaa session-id common
The order in which paths are entered determines how you interpret the output.
The line with “+” sign means this command is present in the startup-config but not in the running-config.
The line with “-” sign means this command is present in the running-config but not in the startup-config.
Always remember that when you use the command without options, for instance if you use “show archive config differences” command, it is same as saying “show archive config difference system:running-config nvram:startup-config“.
Clear the Configuration Log
The entries from the configuration log can be cleared in one of two ways. The size of the configuration log can be reduced by using the logging size command, or the configuration log can be disabled and then re-enabled with the logging enable command. To clear the configuration log file, use one of the following methods:
Clearing the Configuration Log by Disabling the Configuration Log
R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#no logging enable R1(config-archive-log-cfg)#logging enable R1(config-archive-log-cfg)#end R1#
Clearing the Configuration Log by Resetting the Log Size
To clear the configuration log, reduce the log size to 1, then reset the log size to the desired value by entering the logging size command.
R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#logging size 1
Setting the size of the configuration log to 1 results in all but the most recent entry being purged.
R1(config-archive-log-cfg)#logging size 500 R1(config-archive-log-cfg)#end R1#
Before the introduction of this feature, the only way to determine if the Cisco software configuration had changed was to save a copy of the running and startup configurations to a local computer and do a line-by-line comparison. This comparison method can identify changes that occurred, and the person responsible for the changes.
