Table Of Contents
Configuration Change Notification and Logging
Restrictions for Configuration Change Notification and Logging
Information About Configuration Change Notification and Logging
Configuration Change Notifications and Config Change Logging
Config Logger Enhancements for EAL4+ Certification
How to Configure the Configuration Change Notification and Logging Feature
Configuring the Configuration Change Notification and Logging Feature
Displaying Configuration Log Entries and Statistics
Clearing Configuration Log Entries
Clearing the Configuration Log by Reducing the Log Size
Clearing the Configuration Log by Disabling the Configuration Log
Configuration Examples for the Configuration Change Notification and Logging Feature
Configuring the Configuration Change Notification and Logging Feature: Example
Feature Information for Configuration Change Notification and Logging
Configuration Change Notification and Logging
First Published: November 3, 2003Last Updated: May 2, 2008Prior to the introduction of this feature, the only way to determine if the Cisco IOS software configuration had changed was to save a copy of the running and startup configurations to a local computer and do a line-by-line comparison. This comparison method can identify changes that occurred, but does not specify the sequence in which the changes occurred, or the person responsible for the changes.
The Configuration Change Notification and Logging (Config Log Archive) feature allows the tracking of configuration changes entered on a per-session and per-user basis by implementing an archive function. This archive saves `configuration logs' that track each configuration command that is applied, who applied the command, the parser return code (PRC) for the command, and the time the command was applied. This feature also adds a notification mechanism that sends asynchronous notifications to registered applications whenever the configuration log changes.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Configuration Change Notification and Logging" section.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Restrictions for Configuration Change Notification and Logging
•
•
•
•
Restrictions for Configuration Change Notification and Logging
•
•
Information About Configuration Change Notification and Logging
To configure the Configuration Change Notification and Logging feature, you must understand the following concepts:
•
Configuration Log
The Configuration Change Notification and Logging feature tracks changes made to the Cisco IOS software running configuration by maintaining a configuration log. This configuration log tracks changes initiated only through the command-line interface (CLI) or HTTP. Only complete commands that result in the invocation of action routines are logged. The following types of entries are not logged:
•
•
For each configuration command that is executed, the following information is logged:
•
•
•
•
•
•
You can display information from the configuration log through the use of the show archive log config command, with the exception of the parser return codes, which are for use by internal Cisco IOS applications only.
Configuration Change Notifications and Config Change Logging
You can configure the Configuration Change and Notification Logging feature to send notification of configuration changes to the Cisco IOS software system logging (syslog) process. Syslog notifications allow monitoring of the configuration log information without performing polling and information gathering tasks.
The Configuration Change Notification and Logging feature allows the tracking of configuration changes entered by users on a per-session and per-user basis. This tool allows administrators to track any configuration change made to the Cisco IOS software running configuration, and identify the user that made that change.
Config Logger Enhancements for EAL4+ Certification
Further enhancements to the Configuration Change Logging process were implemented in Cisco IOS Release 12.3(14)T. These enhancements support an effort to ensure the logging process meets the requirements set forth in the Conformance to Common Criteria, Evaluation Assurance Level 4+ (EAL4+) Firewall Protection Profiles. These enhancements include changes to meet the following requirements:
•
•
Note
The above logging actions are disabled by default. To enable these logging characteristics, perform the task described in the "Configuring the Configuration Change Notification and Logging Feature" section.
How to Configure the Configuration Change Notification and Logging Feature
This section contains the following procedures:
•
•
•
Configuring the Configuration Change Notification and Logging Feature
Perform this task to enable the Configuration Change Notification and Logging feature.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Displaying Configuration Log Entries and Statistics
Perform this task to display entries from the configuration log or statistics about the memory usage of the configuration log.
To display configuration log entries and to monitor the memory usage of the configuration log, the Configuration Change Notification and Logging feature provides the show archive log config command.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
Use this command to enable privileged EXEC mode. Enter your password if prompted. For example"
Router> enableStep 2
Use this command to display configuration log entries by record numbers. If you specify a record number for the optional end-number argument, all log entries with record numbers between the values entered for the number and end-number arguments are displayed. For example:
Router# show archive log config 1 2
idx sess user@line Logged command1 1 user1@console logging enable2 1 user1@console logging size 200This example displays configuration log entry numbers 1 and 2. Valid values for the number and end-number argument range from 1 to 2147483647.
Step 3
Use this command to display all configuration log files as they would appear in a configuration file rather than in tabular format. For example:
Router# show archive log config all provisioningarchivelog configlogging enablelogging size 200This display also shows the commands used to change configuration modes, which are required to correctly apply the logged commands.
Step 4
Use this command to display memory usage information for the configuration. For example:
Router# show archive log config statisticsConfig Log Session Info:Number of sessions being tracked: 1Memory being held: 3910 bytesTotal memory allocated for session tracking: 3910 bytesTotal memory freed from session tracking: 0 bytesConfig Log log-queue Info:Number of entries in the log-queue: 3Memory being held in the log-queue: 671 bytesTotal memory allocated for log entries: 671 bytesTotal memory freed from log entries:: 0 bytesStep 5
Use this command to exit to user EXEC mode. For example:
Router# exitRouter>
Clearing Configuration Log Entries
Entries from the configuration log can be cleared in one of two ways. The size of the configuration log can be reduced using the logging size command, or the configuration log can be disabled and then reenabled with the logging enable command.
This section contains the following procedures:
•
•
Clearing the Configuration Log by Reducing the Log Size
Perform this task to clear entries from the configuration log using the logging size command.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
The following example shows how to clear the configuration log by reducing the log size to 1, then resetting the log size to the desired value:
Router# configure terminalRouter(config)# archiveRouter(config-archive)# log configRouter(config-archive-log-config)# logging size 1Router(config-archive-log-config)# logging size 200Router(config-archive-log-config)# endClearing the Configuration Log by Disabling the Configuration Log
Perform this task to clear entries from the configuration log using the logging enable command.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
The following example clears the configuration log by disabling and then reenabling the configuration log:
Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-config)# no logging enable
Router(config-archive-log-config)# logging enable
Router(config-archive-log-config)# end
Configuration Examples for the Configuration Change Notification and Logging Feature
This section provides the following configuration example:
•
Configuring the Configuration Change Notification and Logging Feature: Example
The following example shows how to enable configuration logging with a maximum of 200 entries in the configuration log. In the example, security is increased by suppressing the display of password information in configuration log records, and syslog notifications are turned on.
configure terminalarchivelog configlogging enablelogging size 200hidekeysnotify syslogAdditional References
The following sections provide references related to the Configuration Change Notification and Logging. feature:
Related Documents
Information about managing configuration files
Commands for managing configuration files
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Configuration Fundamentals Command Reference at http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
•
•
•
•
Feature Information for Configuration Change Notification and Logging
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Configuration Change Notification and Logging
Configuration Change Notification and Logging
12.3(4)T 12.2(25)S 12.2(27)SBC 12.2(33)SRA 12.2(33)SXH
12.2(33)SBThe Configuration Change Notification and Logging (Configuration Logging) feature allows the tracking of configuration changes entered on a per-session and per-user basis by implementing a configuration log. The configuration log tracks each configuration command that is applied, who applied the command, the parser return code for the command, and the time the command was applied. This feature also adds a notification mechanism that sends asynchronous notifications to registered applications whenever the configuration log changes.
In 12.2(33)SB, this feature was implemented on the Cisco 10000 series.
The following sections provide information about this feature:
•
•
•
The following commands were modified by this feature: archive, hidekeys, log config, logging enable, logging size, notify syslog, show archive log config.
Config Logger Enhancements for EAL4+ Certification
12.3(14)T
12.2(27)SBCFurther enhancements to the Configuration Change Logging process were implemented in Cisco IOS Release 12.3(14)T and 12.2(27)SBC. These enhancements support an effort to ensure the logging process meets the requirements set forth in the Conformance to Common Criteria, Evaluation Assurance Level 4+ (EAL4+) Firewall Protection Profiles.
The following section provides information about this feature:
CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0801R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2003-2008 Cisco Systems, Inc. All rights reserved.
Guest
