- Preface
- Open Source License Acknowledgements
- Chapter 1: Overview of Administration
- Chapter 2: Setting up Security
- Chapter 3: Administering LMS Server
- Chapter 4: Administering Discovery Settings and Device and Credential Repository
- Chapter 5: Managing Groups
- Chapter 6: Administering Data Collection
- Chapter 7: User Tracking and Dynamic Updates
- Chapter 8: Administering Collection Settings
- Chapter 9: Monitoring and Troubleshooting Settings
- Chapter 10: Notification and Action Settings
- Chapter 11: Administering Change Audit and Software Management
- Chapter 12: Managing Jobs
- Chapter 13: Working With Software Center
- Chapter 14: Discrepancies and Best Practices Deviations
- Chapter 15: Report Setting
- Chapter 16: Purge Settings
- Chapter 17: Debugging Options
- Chapter 18: Understanding LMS Tasks
- Appendix A: CLI Tools
- Appendix B: Troubleshooting and FAQs
- Appendix C: Data Extraction Engine
- Appendix D: Understanding Cisco Prime Security
- Appendix E:Commands to Enable Mac Notification Traps
- Appendix F: Recommended Best Practices
- Index
Administration of Cisco Prime LAN Management Solution 4.2
- Updated:
- February 12, 2018
Chapter: Chapter 8: Administering Collection Settings
Administering Collection Settings
All collection settings like Inventory Collection settings, VRF Lite settings, various SNMP timeout settings are grouped under the collection settings in the Admin tab in the menu.
- Using the Inventory Job Browser
- Timeout and Retry Settings
- Secondary Credentials
- Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System
- PSIRT or End-of-Sale or End-of-Life Data Administration
- Administering VRF Lite
- Modifying Fault Management SNMP Timeout and Retries
- Configuring Fault Management Rediscovery Schedules
- Configuring Event Forensics
- Fault Monitoring Device Administration
- Device Management Functions
- Performance Management SNMP Timeouts and Retry Settings
- IPSLA Application Settings
- Setting Up Archive Management
- Defining the Configuration Collection Settings
- Configuring Transport Protocols
- Overview: Common Syslog Collector
- Viewing Status and Subscribing to a Common Syslog Collector
Using the Inventory Job Browser
The Inventory Job Browser displays all user-defined jobs. It also displays the system-defined inventory collection and polling jobs. You can create and manage inventory jobs using the Job Browser. You can edit, stop, cancel or delete jobs using this Job Browser.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks.
When you install LMS, a default job is defined for Inventory Collection and Inventory Polling.
When the default job runs, LMS evaluates the “all devices” group and executes the job. This way, whenever new devices are added to the system, these devices are also included in the default collection/polling job.
For the default system jobs, the device list cannot be edited. You can only change the schedule of those jobs. Therefore, when a periodic system job for inventory collection or polling is scheduled, the scheduled job is not displayed in the Inventory Job Browser.
The default system jobs for Inventory Collection and Inventory Polling are created immediately after installation. However, they may appear in the Inventory Job Browser (Inventory > Job Browsers > Inventory Collection or Admin > Collection Settings > Inventory > Inventory Jobs) and the LMS Job Browser (Admin > Jobs > Browser) only after some time has elapsed.
The jobs are displayed in the Job Browser when they are running, or after they are completed, with all the details such as Job ID, Job Type, and Status.
User-defined jobs, however, are displayed in the Job Browser once they are scheduled, when they are running, and after they are completed.
You can do the following tasks from the Inventory Job Browser:
- Viewing Job Details
- Creating and Editing an Inventory Collection or Polling Job
- Stopping, Cancelling or Deleting an Inventory Collection or Polling Job
To invoke the Inventory Job Browser, either:
The Inventory Job Browser dialog box appears with a detailed list of all scheduled inventory jobs.
The columns in the Inventory Job Browser dialog box are:
|
|
|
|---|---|
Unique ID assigned to the job by the system, when the job is created. Click on the hyperlink to view the Job details (see Viewing Job Details.) Periodic jobs such as 6-hourly, 12-hourly, Daily, Weekly and Monthly, have the job IDs that are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the job ID 1001. |
|
Type of job—System Inventory Collection, System Inventory Polling, Inventory Collection and Inventory Polling. |
|
Status of the job—Scheduled, Successful, Failed, Cancelled, Stopped, Running, Missed Start. The number, within brackets, next to Failed status indicates the count of the devices that had failed for that job. This count is displayed only if the status is Failed. For example, If the status displays Failed(5), then the count of devices that had failed is 5. This count of failed devices is not displayed for jobs restored from LMS 4.1 or earlier versions. |
|
Description of the job entered by the job creator. This is a mandatory field. Accepts alphanumeric values. The field is restricted to 256 characters. |
|
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. |
Using the Filter by field in the Inventory Job Browser, you can filter the jobs displayed in the browser.
You can filter the jobs using any of the following criteria and clicking Filter :
To perform the following tasks, use the Inventory Job Browser ( Table 8-1 )
Records for Inventory Collection and Polling jobs need to be purged periodically. You can schedule a default purge job for this purpose, select Admin > Network > Purge Settings > Config Job Purge Settings.
Viewing Job Details
In the Inventory Job Browser, click on the Job ID hyperlink to view the following job details for Inventory collection, or polling jobs:
- Job Details—Expand this node to display Job Summary and Job Results for the inventory collection or polling job.
- Job Summary—Click on this node to view the following for the inventory collection or polling job:
– Job Summary—Displays information about the job type, the job owner, the status of the job, the start time, the end time, the schedule type, and details of email notification.
– Device Summary—Displays information about the total devices submitted for the job, the number of devices that were scanned, the number of devices that were pending, the devices that were successful with change, successful without change, and the failed devices.
Also, the Device Details and Not Attempted information appears.
Not Attempted displays the number of devices for which the Inventory collection module did not attempt to collect the data.
- Job Results—Displays information about the number of devices scanned, the names of the scanned devices, the duration of scanning, the average scan time per device, and the job results description, for the inventory collection or polling job.
To see more details, expand the Job Results node. You will see the following details:
– Failed—If you click on this node, you will see the collective list of failed devices and the reason for their failure in the right pane, for the inventory collection or polling job.
If you expand this node, the list of failed devices appears.
If you select a device, the right pane displays the device name and the reason for the failure. For example, Device sensed, but collection failed, or Device not reachable.
For a Inventory collection job:
Expand the Successful: With Changes node to display a list of devices.
If you select a device, the right pane displays the device name and a hyperlink: View Changes. If you click on this hyperlink, the Inventory Change Details report appears for the device. The report displays information about the attribute, the type of change, the time of change, the previous value and the current value for the collection job.
If you do not expand this node, you will see the collective list of devices with the status Success: With changes with their View Changes hyperlinks, in the right pane, for the collection job.
There is a View All Changes hyperlink in the right pane. If you click this hyperlink, all the changes on the devices are displayed.
Click on the Successful: With Changes node to display a list of devices that have changes, as a comma separated list, in your right pane.
When there is a change in the config of a device and when the device is polled, the information like Collection initated will appear in the job results. A separate job will be created for the inventory collection as a result of changes occuring in the inventory.
If you click on this, you will see as a comma-separated list in your right pane, the devices that were successful for the inventory collection or polling job.
Note Inventory Poller creates a Collection job when it detects changes.
Creating and Editing an Inventory Collection or Polling Job
To create or edit an Inventory collection or polling job:
The Inventory Job Browser appears.
The Create Inventory Job dialog box appears.
Step 4 Enter the information required to create a job:
You get a notification that the job has been successfully created, and it appears in the Inventory Job Browser.
To edit a job, select a scheduled job from the Inventory Job Browser, and click Edit.
The Edit Inventory Job dialog box appears. The Job Type options are disabled. You can however, change the Scheduling and Job Info fields as required, and click Submit.
Stopping, Cancelling or Deleting an Inventory Collection or Polling Job
You can stop, cancel or delete Inventory Collection or Polling jobs.
Timeout and Retry Settings
This option enables you to set the default values for Inventory, Config timeout and retry settings. These values are applicable to all devices in LMS.
The default value is 2. The minimum value is zero and the maximum value is 6.
- SNMP Timeout—Amount of time that the system should wait for a device to respond before it tries to access it again. It refers to the total transaction time of SNMP Packets.
The default value is 2 seconds and the minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection.
- Telnet Timeout—Amount of time that the system should wait for a device to respond before it tries to access it again. It refers to the initial response time required to create a socket.
The default value is 36 seconds and the minimum value is zero seconds. There is no maximum value limit.
Changing the Telnet timeout value affects inventory collection.
- Natted LMS IP Address—The LMS server ID. This is the translated address of LMS server as seen from the network where the device resides.
You need to enable support for NAT, in a scenario where LMS tries to contact devices outside the NAT boundary.
The default value is Not Available.
- TFTP Timeout—Amount of time that the system should wait to get the result status of the copy operation. Changing the TFTP timeout value affects Config collection.
The default value is 5 and the minimum value is 0 seconds. There is no maximum value limit.
The default read delay is 10 milliseconds.
The default value is 45000 milliseconds.
The default value is 2000 milliseconds.
The default value is 50 milliseconds.
- Delay After Connect—Amount of waiting time in milliseconds after initial socket connection. It will wait for the set time before doing the next operation.
The default value is 300 milliseconds.
To edit the Inventory, Config timeout and retry settings:
Step 1 Select Admin > Network > Timeout and Retry Settings > Config Timeout and Retry Settings.
The Inventory, Config timeout and retry settings page appears.
Step 2 Enter the default values for:
Note Modifying the default timeout values will apply to all the devices and impact the work flows of all devices. To edit per device level attributes, go to Editing Device Attributes.
A confirmation message appears:
The settings are updated successfully
Note When you do a back up restore from LMS 3.x/4.x to LMS 4.2, the inventory, config timeout, and retry values will not be restored by default. To restore the values for all the devices, edit the default values in Timeout and Retry settings page. To restore the values for specific devices, go to Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings
Secondary Credentials
The LMS server polls and receives two types of credentials from each device and populates the Device Credential Repository (DCR).These credentials are:
LMS uses either the primary or secondary credentials to access the devices using the following protocols:
The LMS server first uses the Primary Credentials to access the device. The Primary Credentials is tried out many times and on failure the Secondary Credentials is tried out. Secondary Credentials is used as a fallback mechanism in LMS for connecting to devices.
For instance, if the AAA Server is down, accessing devices using their primary credentials will lead to failure.
You can add or edit the Secondary Credentials information through the DCR page (Select Inventory > Device Administration > Add / Import / Manage Devices) if the Secondary Credential information is not available for a device.
Note The use of Secondary Credentials fallback is applicable for both Login and Enable connectivity.
You can use the LMS Secondary Credential dialog box to enable or disable Secondary Credentials fallback when the Primary Credentials for a device fails. This is a global option which you can use to enable or disable the use of Secondary Credential fallback for all LMS applications.
To enable or disable the Secondary Credentials fallback:
Step 1 Select Admin > Collection Settings > Config > Secondary Credential Settings.
Select Admin > Collection Settings > Inventory > Secondary Credential Settings.
The Secondary Credentials dialog box appears.
Step 2 Do either of the following:
Step 3 Click either Apply to apply the option or click Cancel to discard the changes.
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System
At the time of LMS installation, system jobs are created for both Inventory collection and polling, with their own default schedules. A periodic inventory collection job collects inventory data from all managed devices and updates your inventory database.
Similarly, the periodic polling polls devices and updates the inventory database. You can change the schedule of these default, periodic system jobs.
For inventory collection or polling to work, your devices must have accurate read community strings entered. The changes detected by inventory collection or polling, are reflected in all associated inventory reports.
This section contains the following topics:
- Changing the Schedule for System Inventory Collection or Polling Settings
- Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings
Changing the Schedule for System Inventory Collection or Polling Settings
Note that the inventory poller allows you to collect inventory less often. The poller detects most changes in managed devices, with much less impact on your network. If the poller detects changes, it initiates inventory collection.
To collect inventory or poll devices as a one-time event or for selected devices only, create user-defined inventory collection or polling jobs (see Creating and Editing an Inventory Collection or Polling Job).
Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks.
Step 1 Select Admin > Collection Settings > Inventory > Inventory System Job Schedule.
The System Job Schedule dialog box displays the current collection or polling schedule.
Step 2 Set the new Inventory Collection or Inventory Polling schedule in the respective panes, as in Table 8-2 .
Inventory data does not change frequently, so infrequent collection is better. However, if you are installing much new equipment, you may need more frequent collection.
Infrequent collection reduces the load on your network and managed devices. Collection is also best done at night or when network activity is low.
Also, make sure your collections do not overlap, by checking their duration using the Inventory Job Browser (see Using the Inventory Job Browser), and scheduling accordingly.
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings
Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks.
Step 1 Select Admin > Network > Compliance Policy/PSIRT/EOS/EOL Settings > Compliance Policy and Psirt/Eox System Job Schedule.
The Compliance Policy and PSIRT/EOX System Job Schedule page appears.
Step 2 Set the new Compliance Policy and PSIRT/EOX schedule in the respective panes, as in Table 8-2 .
Compliance Policy and PSIRT/EOX Job Report
Perform the following steps to view the Compliance Policy and PSIRT/EOX Job Report:
Step 1 Go to Admin > Jobs > Browser.
Step 2 Select Type in the Filter by field and SystemPsirtJob in the drop-down list.
The SystemPsirtJob will be filtered and displayed.
Step 4 Click the JOB ID e.g 1005.1 to view the Compliance Policy and PSIRT/EOX Job Report.
PSIRT or End-of-Sale or End-of-Life Data Administration
Product Security Incident Response Team (PSIRT) of Cisco is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability-related information, related to Cisco products and networks.
For every security vulnerability, a PSIRT document is created with a PSIRT Document ID. This document consists of definitions of the vulnerabilities, the IOS image version that is affect by the PSIRT, as well as the device that is impacted.
Note System PSIRT job should be successful at least once before generating PSIRT/End-of-Sale or End-of-Life (EoX) reports. Report job will be successful even though there is no data to display for the selected devices.
The EoS/EoL reports will be successful but might not contain data in the below scenarios:
1. If the system PSIRT job fails because of wrong Cisco.com credentials, or if you have not configured the Cisco.com credentials.
2. If the system PSIRT job fails due to problems in the downloaded local XML file.
3. If there is no PSIRT/EoX data in the database for the selected devices.
LMS fetches and collects this PSIRT information from Cisco.com whenever the system PSIRT and End-of-Sale or End-of-Life (EOX) job runs.
LMS uses PSIRT, End-of-Sale and End-of-Life data from Cisco.com to generate various reports. You can change the Data Source for PSIRT or End-of-Sale or End-of-Life reports. For more information, see Changing the Data Source for PSIRT/EOS/EOL Reports.
Changing the Data Source for PSIRT/EOS/EOL Reports
You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or End-of-Sale or End-of-Life report.
To access this option, select Reports > Fault and Event > PSIRT Summary
- Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com
- Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location
When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data either from Cisco.com or from a local text file with XML data, depending upon the option you have set.
To change the PSIRT or End-of-Sale/End-of-Life report settings:
Step 1 Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX Reports option.
The PSIRT/EOX Reports dialog box appears.
The local file location is shown if you have selected Local.
The PSIRT or End-of-Sale or End-of-Life report can be generated based on the settings specified by you.
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com
You can use the Cisco.com option, if you have access to Cisco.com from the LMS server. When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data from Cisco.com. The report so generated consists of latest data from the system PSIRT and EOX job.
If you have opted to generate a PSIRT or End-of-Sale or End-of-Life report using data from Cisco.com, you must setup the Cisco.com user account using Admin > System > Cisco.com Settings > User Account Setup. If you do not configure the Cisco.com user account, the System PSIRT and EOX job will fail.
Note While you schedule a PSIRT Summary report job or End-of-Sale or End-of-Life job using the Cisco.com method, the Cisco.com Username, Cisco.com Password are enabled. If you have configured the Proxy Server (Admin > System > Cisco.com Settings > Proxy Server Setup) then Proxy Username and Proxy Password fields are also enabled.
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location
You can use the Local option, if you do not have an internet connection from the LMS server. The local file is a text file with XML data in it.
Downloading the text file with XML data from Cisco.com
You can retrieve the PSIRT or End-of-Sale or End-of-Life information from an external server and store it in the local file location on the LMS server.
To download the text file with XML data from Cisco.com:
1. Use a server other than LMS server with internet connection as the external server.
2. From this external server, access the following link to download the XML data:
1. Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=latest#
2. Login to Cisco.com by entering the Cisco.com user name and password.
3. Download the PSIRT_EOX_OFFLINE.zip file.
4. Extract the text file with XML data to the external server.
5. Copy the text file from the external server into the LMS Server under:
– On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
– On Windows, NMSROOT \files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
The text file with XML data gets saved under local_xml folder.
Where NMSROOT is the default Cisco Prime installation directory.
1. Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=latest#
2. Login to Cisco.com by entering the Cisco.com user name and password.
3. Download the EOX_SOFTWARE.zip file to the external server.
4. Copy the EOX_SOFTWARE.zip file from the external server into the LMS Server under:
– On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
– On Windows, NMSROOT \files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
Note You must not extract the EOX_SOFTWARE.zip file in the LMS Server.
The EOX_SOFTWARE.zip file gets saved under local_xml folder.
Where NMSROOT is the default Cisco Prime installation directory.
When you schedule a PSIRT or End-of-Sale/End-of-Life report, the Report Generator retrieves the data from the XML file.
To ensure that the data shown in the PSIRT or End-of-Sale or End-of-Life report is the latest:
1. Retrieve the PSIRT or End-of-Sale or End-of-Life information from Cisco.com using an external server which has internet connection.
2. Store this retrieved XML information in the local file location.
3. Then generate a PSIRT Summary Report or End-of-Sale or End-of-Life report.
Administering VRF Lite
From the Admin tab in the mega menu you can administer the following features of VRF Lite:
- Provide VRF Lite Collector Settings. For details, see Using VRF Lite Collector Settings.
- Schedule VRF Lite Collection. For details, see Scheduling VRF Lite Collector.
- Modify SNMP Timeouts and Retries. For details, see Modifying VRF Lite SNMP Timeouts and Retries.
You can specify the debugging options for VRF Lite Server, VRF Lite Collector, and VRF Lite, select Admin > System > Debug Settings.
You can view the status of VRF Lite jobs, select Admin > Jobs > Browser, and use the filter to view only VRF Lite jobs.
You can configure purging interval for Virtual Network Manager Report Jobs and Archives, select Admin > Network > Purge Settings > VRF Management Purge Settings. For details, see Purging VRF Management Reports Jobs and Archived Reports.
- Using VRF Lite Collector Settings
- Scheduling VRF Lite Collector
- Modifying VRF Lite SNMP Timeouts and Retries
Using VRF Lite Collector Settings
You can perform the following administrative tasks using the VRF Lite Collector Settings page:
You can schedule the VRF Lite Collector process to run after every Data Collection. The VRF Lite Collector process is scheduled to collect VRF Lite-specific details of the VRF Lite Capable and VRF Lite Supported devices. You can add, edit and delete VRF Lite Collector Schedule jobs.
To schedule the VRF Lite Collection process, click Schedule VRF Lite Collector link.
For details, see Scheduling VRF Lite Collector.
You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions. To modify the VRF Lite SNMP Timeouts and Retries Settings, click VRF Lite SNMP Timeouts and Retries Settings link.
For details, see Modifying VRF Lite SNMP Timeouts and Retries.
Scheduling VRF Lite Collector
You can schedule the day and the time of VRF Lite Collection using this feature. You can add a new schedule, edit or delete existing schedules.
To schedule VRF Lite Collector:
Step 1 Select Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule.
The VRF Lite Collector Schedule dialog box appears.
Step 2 Enter the details as mentioned in Table 8-3 .
- Select a schedule and click Edit to edit the schedule
- Select a schedule and click Delete to delete the schedule
- Click Add to add a new schedule
Step 3 Click OK to save the details
Click Cancel to exit the VRF Lite Collection Schedule dialog box.
You can view the status of VRF Lite Collector Schedule job, select Admin > Jobs > Browser, and use the filter to view VRF Lite Collector Schedule job.
Modifying VRF Lite SNMP Timeouts and Retries
You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions.
To modify SNMP timeouts and retries:
Step 1 Select Admin > Network > Timeout and Retry Settings > VRF Lite SNMP Timeouts and Retries.
The VRF Lite SNMP Timeouts and Retries dialog box appears.
Step 2 Modify the SNMP settings as given in Table 8-4 .
Step 3 Click Add to add VRF Lite SNMP settings.
Step 4 Select a row and either:
Click OK to save the changes or click Cancel to exit.
Modifying Fault Management SNMP Timeout and Retries
If an SNMP query does not respond in time, Fault Management will time out. It will then retry contacting the device for as many times as displayed when you select Admin > Network > Timeout and Retry Settings > Fault Management SNMP Timeouts and Retries.
The timeout period is doubled for every subsequent retry. For example, if the timeout value is 4 seconds and the retries value is 3, LMS waits for 4 seconds before the first retry, 8 seconds before the second retry, and 16 seconds before the third retry.
The SNMP timeout and retries are global settings.
Note Changing the settings on this page will modify the settings on all devices managed by LMS.
Note Your login determines whether or not you can perform this task. View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
To modify the Fault Management SNMP timeout and retries:
Step 1 Select Admin > Network > Timeout and Retry Settings > Fault Management SNMP Timeouts and Retries. The SNMP Configuration page appears.
Step 2 Select a new SNMP timeout setting.
Step 3 Select a new Number of Retries setting.
Step 5 In the confirmation box, click Yes.
Configuring Fault Management Rediscovery Schedules
Note Your login determines whether or not you can perform this task. View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
LMS rediscovery probes the devices to discover their configuration and verify their manageable elements in inventory.
LMS contains a default discovery schedule that starts rediscovery on a weekly basis. Although you cannot modify the default discovery schedule, you can suspend it and add, modify, or delete additional schedules.
Suspending and Resuming a Rediscovery Schedule
LMS includes a default rediscovery schedule, Default_Schedule. You cannot edit or delete Default_Schedule, but you can suspend it. To completely suspend rediscovery for a period of time, you may have to repeat this procedure to suspend multiple schedules.
To suspend and resume a rediscovery schedule:
Step 1 Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
The Rediscovery Schedule page appears.
The status for the schedule changes to Suspended and the schedule does not run until you resume the schedule. The schedule remains listed on the Rediscovery Schedule page until you delete it.
The status for the schedule changes to Scheduled.
Adding and Modifying a Rediscovery Schedule
See Performing Scheduling Tasks to plan the rediscovery schedule for maximum efficiency and minimum system impact.
You should plan the rediscovery schedule for maximum efficiency and minimum system impact.
When LMS is first installed, for the Fault Management module most tasks listed in Table 8-5 are scheduled by default to ensure that they do not run concurrently. You can configure the schedules for these tasks to meet the requirements of your site. However, you should still avoid running them concurrently.
|
|
|
|
|---|---|---|
The amount of time it takes to purge the database depends on the size of the database. For more information on how to configure the Daily Fault History Purging Schedule, see Configuring the Daily Fault History Purging Schedule. |
||
By default, rediscovery starts 2 hours after database purging. |
In addition to configuring schedules, a system administrator can schedule database backups. Be careful while coordinating the database backup schedule to avoid running concurrently with the tasks listed in Table 8-5 .
To add or edit a rediscovery schedule:
Step 1 Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
Step 3 Enter a name for the schedule.
Step 4 Select how often the schedule should run:
Step 5 Select the date, hour, and minute on which to start the rediscovery schedule and click Next.
Step 6 Review the information on the Schedule Summary page and click Finish. The Rediscovery Schedule page appears, listing the new schedule.
Deleting a Rediscovery Schedule
To delete a rediscovery schedule:
Step 1 Select a rediscovery schedule and click Delete.
A confirmation dialog box appears.
Note You cannot delete Default_Schedule.
Step 2 Click Yes. The job is removed from this page. However, it will continue to be listed in the main Job Browser.
Configuring Event Forensics
Event Forensics refer to additional information related to the specific events that are polled by LMS server. The polled data are stored on the server and you can use this for troubleshooting.
You must enable the Event Forensics collection feature on LMS server to start collecting the event forensics data.
To enable collection of Event Forensics:
Step 1 Click Admin > Collection Settings > Fault > Fault Event Forensics Configuration. The Event Forensics Configuration page appears.
Step 2 Select the Event Forensics Enable check box to enable LMS to collect forensics data.
LMS polls for Event Forensics data for the following events only:
To view the event forensics results select Monitor > Monitoring Tools > Fault Monitor. You can see the event forensics results when you move your mouse over the Annotations in the Faults table of Fault Monitor Device Fault Summary view tab.
Fault Monitoring Device Administration
To rediscover and delete specific devices, select Admin > Collection Settings > Fault > Fault Monitoring Device Administration.
The Fault Monitoring Device Administration page contains two panes.
- The left pane displays a device selector, from which you select the device or group that you want to rediscover or delete. The left pane includes a search option
- The right pane displays the information for the selected object.
Click the Refresh button to refresh the view.
Note If the IP addresses of the device and its components such as interface or port are added separately in DCR then only device IP will be managed in fault Management and the components IP will not be managed separately as the components are already managed under the device IP.
The devices that appear in the device selector are organized in folders by device state as shown in the Table 8-6 . The folders appear only if there is a device to go in the folder.
When rediscovery takes place, if there are any changes to a device or group configuration, the new settings will overwrite any previous settings.
Rediscovery occurs only for managed devices, and not suspended devices.
- Inventory collection occurs. This is controlled by the Rediscovery Schedule (Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule)
- A device is added to the DCR, or a change is made to a device in the DCR, and LMS is configured to import that device type (or LMS automatically imports all DCR devices). Such DCR changes include a device being deleted or having its credentials (IP address, SNMP credentials, MDF type) changed in the DCR.
- A device is manually added to LMS using the Device Import page.
Note Do not confuse the LMS discovery process with the DCR synchronization process. LMS Discovery and Rediscovery is a process that affects only the LMS inventory.
Step 1 Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault Monitoring Device Administration page appears.
Step 2 Select the device or group that you want to rediscover.
With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To assist you in locating devices, use the search option in the device selector.
Note If you are connecting to the LMS server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. You should contact a user with System Administrator privileges to create a self-signed security certificate, and then install it. If you do not install the self-signed security certificate, you may not be able to access some LMS application pages.
Rediscovery starts. To view rediscovery status, select Inventory > Device Administration > Manage Device State.
Note If the number of components managed by fault management exceeds 40000/domain then the remaining devices will be moved to Question State with the error message “Network Adapter Limit Exceeded”.
Creating a question state device report involves the following steps:
Step 1 Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault Monitoring Device Administration page appears.
Step 2 Click Question State Devie Report.
The question state device report containing the device name, device IP, discovery start time and error details is displayed.
Device Management Functions
Till LMS 3.2 there were 8 different applications like Common Services, Portal and applications covering functionalities in FCAPS model.
LMS 4.2 removes application boundaries and provides tighter integration among the components. It groups all the related functionalities in one place, thus making the product more user friendly.
LMS 4.2 consists of the following five functionalities:
- Inventory, Config and Image Management
- Network Topology, Layer 2 Services and User Tracking
- Fault Management
- IPSLA Performance Management
- Device Performance Management
To view the functionality settings:
Select Admin > System > Device Management Functions.
By default, all the functions will be enabled.
If you have a 10K license, only Inventory, Config and Image Management will function. You should disable all functions except Inventory, Config and Image Management from this page.
Note If you disable a function, the function will stop collecting device information. For IPSLA Management, history data will be deleted.
Performance Management SNMP Timeouts and Retry Settings
Cisco Prime LMS allows you to configure the Performance Management SNMP timeout and SNMP retries using the Poll Settings option. The Performance Management SNMP timeout and SNMP retries are based on the device and network response time.
- SNMP timeout is the duration of time that LMS waits for the device to respond before it retries to query the device again.
- SNMP retry is the maximum number of times LMS retries to query the device.
You can also set the notification interval time in case of poller failures and the e-mail ID to which the notification should be sent.
You can also configure Poll Settings to send the polling failure report as an e-mail.
Step 1 Select Admin > Network > Timeout and Retry Settings > Performance Management SNMP timeouts and retry settings.
The Poll Settings dialog box appears.
Table 8-7 describes the fields in the Poll Settings dialog box.
Step 2 Update the necessary fields in the following panes:
See Table 8-7 for the description of fields that appear in the Poll Settings dialog box.
Step 3 Click Apply to update the poll settings or Reset to cancel the poll settings.
A message appears confirming that poll settings are updated successfully.
IPSLA Application Settings
The IPSLA Application Settings page allows you to copy IP SLA (Internet Protocol Service Level Agreement) configuration to running-config, and set managed source interface.
Copying IPSLA Configuration to Running-Config
You can see the IPSLA (Internet Protocol Service Level Agreement) probes for the collectors that you configure in LMS at the command line interface of the router in the running configuration by selecting the Copy IP SLA Configuration to running-config option on the Application Settings page.
This option is not selected by default. You cannot view the IPSLA probes in the running configuration of the source router if this option is not set.
Note The IP SLA probes are automatically reconfigured when you reboot if you have selected this option and saved the IP SLA probes of the LMS collectors in the startup configuration.
To view the configured collectors in the running configuration:
Step 1 Select Admin > Collection Settings > Performance > IPSLA application settings.
The IPSLA Application Settings page appears.
Step 2 Select the Copy IPSLA Configuration to Running-config check box.
Step 3 Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Managed Source Interface Setting
Managed Source Interface configures the source router with appropriate IP address for sending/receiving the IPSLA (Internet Protocol Service Level Agreement) operation packets.
You can set a source interface address for the source router by selecting the Use Managed Source Interface Address option on the Application Settings page. After this option is set, the source router uses the managed interface address while configuring the collectors on the source device.
However, you can also specify a source interface address while configuring a collector. In this case, the source router uses the specified interface. If the Use Managed Source Interface option is not set, then by default, the source router selects the source interface for the collector from the Routing Table based on the IP address of the destination.
To set a source interface address:
Step 1 Select Admin > Collection Settings > Performance > IPSLA application settings.
The Application Settings page appears.
Step 2 Select the Use Managed Source Interface Address check box.
Step 3 Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Setting Up Archive Management
You can move the directory for archiving the LMS device configuration and enable and disable the usage of Shadow directory. You can also list the commands that need to be excluded while comparing configuration
To do this select Configuration > Configuration Archive > Summary.
- Preparing to Use the Archive Management
- Entering Device Credentials
- Modifying Device Configurations
- Modifying Device Security
- Moving the Configuration Archive Directory
- Enabling and Disabling the Shadow Directory
- Configuring Exclude Commands
- Configuring Fetch Settings
Preparing to Use the Archive Management
Before you start using the Archive Management, you must:
- Enter Device Credentials (See Entering Device Credentials for details)
- Modify Device Configurations (See Modifying Device Configurations for details)
- Modify Device Security (See Modifying Device Security for details)
Entering Device Credentials
Enter the following device credentials in the Device and Credentials window (Admin > Network > Configuration Job Settings > Config Job Policies):
If you have enabled the Enable Job Password option in the Config Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) when you scheduled the Config jobs, you are prompted for the following device credentials:
The supported Device authentication prompts are:
“passwd: ”, “password: ”, “Password: ”
“Username: ”, “username: ”, “login: ”,“Username:”, “username:”, “login:”
“Password: ”, “password: ”, “passwd: ”,”Password:”, “password:”, “passwd:”
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts recognizable, you must edit the TacacsPrompts.ini file. See Handling Custom Telnet Prompts for more information.
Handling Custom Telnet Prompts
To handle custom telnet prompts in applications, you must configure the TacacsPrompts.ini file located at:
NMSROOT /objects/cmf/data (on Solaris/Soft Appliance)
NMSROOT \objects\cmf\data (on Windows)
where NMSROOT is the location where you have installed Cisco Prime LMS.
The format of this ini file is:
For example, if you have configured username and password prompts as MyUserName: and MyPassword: for a few devices and SecretUserName: and Secrect Password: for a few devices, the ini file must be configured as:
USERNAME_PROMPT=MyUsername:, Secret Username:
PASSWORD_PROMPT=MyPassword:, Secret Password:
Note You need not add the default Username prompt and Password prompt in the TacacsPrompts.ini file. Only the custom prompts need to be added.
Modifying Device Configurations
To enable the configuration archive to gather the configurations, modify the device configurations for the following:
Enabling rcp
To enable the configuration archive to gather the configurations using the rcp protocol, modify your device configurations.
Make sure the devices are rcp-enabled by entering the following commands in the device configurations:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username { ip-address | host } remote_username [ enable ]
Where ip_address | host is the IP address/hostname of the machine where LMS is installed. Alternatively, you can enter the hostname instead of the IP address. The default remote_username and local_username are cwuser.
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server. To do this, use the command,
no ip rcmd domain-lookup for rcp to fetch the device configuration.
Enabling scp
To enable the configuration archive to gather the configurations using the scp protocol, modify your device configurations.
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local
username admin privilege 15 password 0 system
ip ssh authentication-retries 4
To configure TACACS User name:
aaa authentication login default group tacacs+
aaa authentication enable default none
aaa authorization exec default group tacacs+
ip ssh authentication-retries 4
User on the TACACS Server should be configured with priv level 15:
Enabling https
To enable the configuration archive to gather the configurations using https protocol you must modify your device configurations.
To modify the device configuration, follow the procedure as described in this URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notices_list.html
Configuring Devices to Send Syslogs
Configure your devices for Syslog Analysis if you want the device configurations to be gathered and stored automatically in the configuration archive when Syslog messages are received.
After you perform these tasks and the devices become managed, the configuration files are collected and stored in the configuration archive.
Modifying Device Security
Configuration Management must be able to run certain commands on devices to archive their configurations.
You must have the required permissions to run these Configuration Management commands:
- Router Commands
- Switches Commands
- Content Networking—Content Service Switch Commands
- Content Networking—Content Engine Commands
- Cisco Interfaces and Modules—Network Analysis Modules
- Security and VPN—PIX Devices
For example, you can use the LMS server to access the devices using Telnet or SSH to archive their configurations. Ensure that the user credentials provided by you in DCR has the required permissions to access the devices and execute the above mentioned configuration CLI commands on the devices to fetch the configurations.
These configuration information fetched from the devices by the LMS server is stored in the LMS database.
Router Commands
|
|
|
|---|---|
Sets the number of lines on the current terminal screen for the current session |
|
Sets the number of character columns on the terminal screen for the current line for a session |
|
Show running-brief 1 |
Gets the running configuration in brief by excluding the encryption keys. |
|
1.This is applicable for the IOS release 12.3(7)T release or later. |
The commands in the above tables also apply to the following device types:
Switches Commands
|
|
|
|---|---|
Configures the number of lines in the terminal display screen |
|
Disables the sending of system logging messages to the current login session. |
|
Content Networking—Content Service Switch Commands
The Content Service Switch commands are:
|
|
|
|---|---|
Content Networking—Content Engine Commands
The Content Engine commands are:
|
|
|
|---|---|
Sets the number of lines on the current terminal screen for the current session |
|
Cisco Interfaces and Modules—Network Analysis Modules
The Network Analysis Modules commands are:
|
|
|
|---|---|
Sets the number of lines on the current terminal screen for the current session |
|
Security and VPN—PIX Devices
|
|
|
|---|---|
Sets the number of character columns on the terminal screen for the current line for a session |
|
Moving the Configuration Archive Directory
You can move the directory where the configuration of the devices can be archived on the LMS server.
The default Configuration Archive directory is:
On LMS Solaris/Soft Appliance server,
/var/adm/CSCOpx/files/rme/dcma
Where NMSROOT is the Cisco Prime installed directory.
The new archive directory location should have the permission for casuser:casusers in Solaris and casuser should have Full Control in Windows. The new archive directory location should not be the root of any drive (F:\) and must be a subdirectory (F:\LMSarchives).
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
The following is the workflow for moving the configuration archive location:
Step 1 Stop the ConfigMgmtServer process. To do this:
a. Select Admin > System > Server Monitoring > Processes.
The Process Management dialog box appears.
b. Select the ConfigMgmtServer process.
Step 2 Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.
Step 3 Enter the new location in the Archive Location field, or click Browse to select a directory on your system.
A message appears confirming the changes.
Step 5 Restart the ConfigMgmtServer process. To do this:
a. Select Admin > System > Server Monitoring > Processes.
The Process Management dialog box appears.
b. Select the ConfigMgmtServer process.
Enabling and Disabling the Shadow Directory
The configuration archive Shadow directory is an image of the most recent configurations gathered by the configuration archive.
The Shadow directory contains subdirectories that represent each device class and the latest configurations supported by the configuration archive.
Each file name is DeviceName.cfg, as defined in the Device and Credential Repository. Each time the archive is updated, the Shadow directory is updated with the corresponding information.
The Shadow directory can be used as an alternative method to derive the latest configuration information programmatically by using scripts or other means.
To access to the Shadow directory, you must be root or casuser on Solaris, or in the administrator group for Windows.
You can find the Shadow directory in the following locations:
- On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow
- On Windows, NMSROOT /files/rme/dcma/shadow. Where NMSROOT is the directory in which LMS is installed (the default is C:\Program Files\CSCOpx).
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
You can enable or disable the use of Shadow directory by following this workflow:
Step 1 Stop the ConfigMgmtServer process. To do this:
a. Select Admin > System > Server Monitoring > Processes.
The Process Management dialog box appears.
b. Select the ConfigMgmtServer process.
Step 2 Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.
Step 3 Select the Enable Shadow Directory check box.
A message shows that the changes were made.
Step 5 Restart the ConfigMgmtServer process. To do this:
a. Select Admin > System > Server Monitoring > Processes.
The Process Management dialog box appears.
b. Select the ConfigMgmtServer process.
Configuring Exclude Commands
You can list the commands that have to be excluded while comparing configuration. To do this select Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration.
You can enter multiple commands separated by commas.
LMS provides default exclude commands for some Device Categories.
For example, the default exclude commands for Router device category are, end,exec-timeout,length,width,certificate,ntp clock-period
You can specify Exclude Commands at all these levels:
- Device Category (For example, Routers, Wireless, etc.)
- Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)
- Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
While comparing configurations, if you have specified exclude commands in the Device Type, Device Family and Device Category, these commands are excluded only at the Device Type level. The commands in the Device Family and Device Category are not excluded.
If you have specified these commands at,
end,exec-timeout,length,width,certificate,ntp clock-period
banner incoming,snmp-server location
ip name-server,banner motd,snmp-server manager session-timeout
While comparing configurations, only the Cisco 1003 Router (Device Type) level commands are excluded.
If you have specified these commands only at Device Family and Device Category,
end,exec-timeout,length,width,certificate,ntp clock-period
banner incoming,snmp-server location
While comparing configurations, only the Cisco 1000 Series Routers (Device Family) level commands are excluded.
If the commands are specified only at the Device Category level, these commands are applicable to all devices under that category.
To configure Exclude Commands:
Step 1 Select Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration.
The Configure Exclude Commands dialog box appears.
Step 2 Select one of these from the Device Type Selector pane:
Step 3 Enter the command in the Exclude Commands pane to add new commands.
You can enter multiple commands separated by commas.
You can also edit or delete the existing commands in the Exclude Commands pane.
A message appears, The commands to be excluded are saved successfully.
Configuring Fetch Settings
You can configure the Job Result Wait Time per device for the Sync Archive Jobs. The default value is 120 seconds. The minimum value can be set to 60 seconds.
Job Result Wait Time is the maximum wait time that Archive Management waits to get the configurations from the device during the sync-archive job execution.
To configure the Job Result Wait Time:
Step 1 Select Admin > Collection Settings > Config > Config Job Timeout Settings.
The Fetch Settings dialog box appears.
Step 2 Provide the Job Result wait time in seconds in the Maximum time to wait for Job results per device (seconds) field.
Understanding Configuration Retrieval and Archival
LMS supports different ways to trigger the retrieval of configuration files from the device for archival purposes.
- Schedule Periodic Configuration File Archival
- Schedule Periodic Configuration Polling
- Manual Updates (Sync Archive function)
- Using Version Summary
- Timestamps of Configuration Files
- How Running Configuration is Archived
- Change Audit Logging
Schedule Periodic Configuration File Archival
LMS will archive both the startup and running configuration files for all devices at the scheduled time (6-hourly, 12-hourly, daily, weekly, monthly), as configured by the user.
Since this method collects the full running configuration and startup configuration files for the entire network, we recommend that you schedule this to run at no more than once per day, especially if the network is large and outside the LAN.
See Defining the Configuration Collection Settings for further details.
Schedule Periodic Configuration Polling
LMS can be configured to periodically poll configuration MIB variables on devices that support these MIBs according to a specified schedule, to determine if either the startup or running configuration file has changed.
If it has, LMS will retrieve and archive the most current configuration file from the device.
Polling uses fewer resources than full scheduled collection, because configuration files are retrieved only if the configuration MIB variable is set.
On IOS devices the variables ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged from the CISCO-CONFIG-MAN-MIB MIB, and on CATOS the variable sysConfigChangeTime from CISCO-STACK-MIB are used to detect the change.
Any change in the value of these variables causes the configuration file to be retrieved from the device. SNMP change polling works only in case of IOS and CATOS devices which support these MIBs.
If these MIBs are not supported on the devices, then by default, configuration fetch will be initiated without checking for the changes.
By default, the Periodic Collection and Polling are disabled.
See Defining the Configuration Collection Settings for scheduling the periodic polling.
Note The Syslog application triggers configuration fetch, if configuration change messages like SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc., are received.
Manual Updates (Sync Archive function)
This feature allows the LMS user to force the configuration archive to check specified devices for changes to the running configuration file only. Use Sync Archive if you need it to synchronize quickly with the running configuration.
You can also poll the device and compare the time of change currently on the device with the time of last archival of the configuration to determine whether the configuration has changed on a device.
The Startup configuration is not retrieved during manual update archive operation. However, you can retrieve the Startup configuration by enabling the Fetch startup Config option while scheduling Sync Archive job. To use this function select Configuration > Configuration Archive > Synchronization.
Using Version Summary
You can trigger a configuration file retrieval by clicking on the Running or Startup configuration in the Configuration Version Summary report (select Configuration > Configuration Archive > Views > Version Summary).
After a configuration file is fetched from the device, as described above, LMS submits the configuration file for archival.
Timestamps of Configuration Files
These are timestamps of a running configuration file, or the change time (in change audit), indicate the time at which LMS system archived the configuration file.
This is not the time at which the configuration actually changed on the device. If changes are detected immediately using Syslog messages, the timestamp should be very close to the actual configuration change time on the device.
Startup configurations are handled differently by LMS. Startup configs are simply saved into the system, as they are retrieved from the device (unlike running configurations, which are compared and saved in versioned archives, if different).
The timestamps of Startup Configuration files are just the archival times, and do not indicate the change time.
In the version summary reports, the Running and Startup are links, which when clicked will retrieve in real time, the respective configuration from the device. This column does not have a timestamp associated with it.
In the Out-Of-Sync report (select Configuration > Compliance > Out-of-Sync Summary), the Startup configuration column indicates the last archived startup configuration along with its timestamp, and the Running configuration column indicate the last archived running config along with its timestamp.
How Running Configuration is Archived
The workflow for archiving the Running configuration is:
1. If LMS detects an effective change, the new configuration is queued for Archival.
2. The archiver, calculates the exact effective changes, assigns a new version number for the newly collected archive, and archives it in the system.
3. The archiver, at the end, logs a change audit record that the configuration of the device has changed, along with other Audit information.
4. If you have enabled the Enable Shadow Directory option in the Archive Settings dialog box (select Admin > Collection Settings > Config > Config Archive Settings) the latest running configuration file is also stored in a raw format for manual TFTP purposes to restore the configuration on the device, in the directory location:
– On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow
– On Windows, NMSROOT /files/rme/dcma/shadow. Where NMSROOT is the directory in which LMS is installed (the default is C:\Program Files\CSCOpx)
Note Startup configurations are not ‘versioned’ and only one copy of the startup configuration of devices (which supports startup configuration), is saved in the system. No change audit records are logged for changes in the ‘Startup Configuration’ files.
LMS first compares the collected configuration file, with the latest configuration in the archive, and checks to see if there are effective configurations changes from what was previously archived.
Change Audit Logging
Config change audit records include information about, who changed (which user) the configuration, when the configuration change was identified by LMS, and other change information.
- Any configuration change made through the LMS system (example, using Config Editor or Netconfig), will have the user name of the user who scheduled the change job.
- Any configuration change that was done outside of LMS and detected through the configuration retrieval process, has the same user name as reported by the device through the CONFIG-MAN-MIB variable (ccmHistoryEventTerminalUser).
- Changes identified through syslog messages, contain the user name identified in the Syslog message, if present.
Defining the Configuration Collection Settings
The configuration archive can be updated with configuration changes in two ways:
- Periodic configuration archival (with and without configuration polling). To do this select Admin > Network > Collection Settings > Config > Config Collection Settings.
- Manual configuration archival. To do this select using Configuration > Configuration Archive > Synchronization.
You can modify how and when the configuration archive retrieves configurations by selecting one or all of the following:
The configuration archive performs a SNMP query on the device. If there are no configuration changes detected in the devices, no configuration is fetched.
The configuration is fetched without checking for any changes in the configuration.
By default, the Periodic Collection and Polling are disabled.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
The following is the workflow for defining the configuration collection setting:
Step 1 Select Admin > Config > Config Collection Settings.
The Config Collection Settings dialog box appears.
Step 2 Select one or all of the following options:
a. Select Enable for Configuration archive to performs a SNMP query on the device to retrieve configuration.
The Config Collection Schedule dialog box appears.
c. Enter the following information:
a. Select Enable for Configuration archive to perform a periodic check on the device to retrieve configuration.
The Config Collection Schedule dialog box appears.
c. Enter the following information:
a. Check the Disable VLAN config collection check box.
The VLAN config collection will be disabled for both manual and system config collection jobs. By default the Disable VLAN Config collection checkbox is unchecked.
Step 3 Either click Apply to accept the new values provided.
Click Cancel if you want to discard the changes and revert to previously saved values.
If you had clicked Apply, a message appears:
New settings saved successfully.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.
Configuring Transport Protocols
You can set the protocol order for Configuration Management features such as Archive Management, Config Editor, and NetConfig jobs to download configurations and to fetch configurations. For NetShow and VLAN Fetch, you can set the protocol order to download configurations.
This setup allows you to use your preferred protocol order for fetching and downloading the configuration.
- Telnet
- TFTP (Trivial File Transport Protocol)
- RCP (remote copy protocol)
- SSH (Secure Shell)
- SCP (Secure Copy Protocol)
- HTTPS (Hyper Text Transfer Protocol Secured)
Requirements to Use the Supported Protocols
If the following requirements are not met, an error message appears.
|
|
|
|---|---|
Know Telnet passwords for login and Enable modes for device. If device is configured for TACACS authentication, enter Primary Username and Primary Password. |
|
Configure devices to support incoming rcp requests. To make sure the device is rcp-enabled, enter the following commands in the device configuration: # ip rcmd remote-host local_username { ip-address | host } remote_username [ enable ] where ip_address | host is the IP address/hostname of the machine where LMS is installed. The default remote_username and local_username are cwuser. For example, you can enter: # ip rcmd remote-host cwuser 123.45.678.90 cwuser enable Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server. To do this, use the command, |
|
Know the username and password for the device. If device is configured for TACACS authentication, enter the Primary Username and Primary Password. Know password for Enable modes. When you select the SSH protocol for the LMS applications (Configuration Archive, NetConfig, ConfigEditor, and NetShow) the underlying transport mechanism checks whether the device is running SSHv2. If so, it tries to connect to the device using SSHv2. If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1. If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2. If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the device that is being accessed. Some useful URLs on configuring SSHv2 are: http://www.cisco.com/warp/public/707/ssh.shtml http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/security/guide/sshd.html – – |
|
Know the SSH username and password for the device. To make sure the device is scp-enabled, enter the following commands in the device configuration. aaa authentication login default local aaa authentication enable default none aaa authorization exec default local username admin privilege 15 password 0 system ip ssh authentication-retries 4 To configure TACACS User name: aaa authentication login default group tacacs+ aaa authentication enable default none aaa authorization exec default group tacacs+ ip ssh authentication-retries 4 User on the TACACS Server should be configured with privilege level 15: |
|
Know the username and password for the device. Enter the Primary Username and Password in the Device and Credential Repository. To enable the configuration archive to gather the configurations using https protocol you must modify your device configurations: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_installation_and_configuration_guides_list.html |
The configuration archive uses Telnet/SSH to gather the module configurations of Catalyst 5000 family devices and vlan.dat file in case of Catalyst IOS switches. Make sure you enter the correct Telnet and Enable passwords.
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts recognizable, you must edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom Telnet Prompts.
For module configs, the passwords on the module must be same as the password on the supervisor.
This section also explains Supported Protocols for Configuration Management Applications.
Supported Protocols for Configuration Management Applications
For supported protocol at individual device-level, you can either see:
- The LMS device packages Online help. You can launch the LMS device packages Online help using Help > Device Packages.
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html
Defining the Protocol Order
The following is the workflow for defining the protocol order for Configuration Management applications to perform either Config fetch or Config update:
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
Step 1 Select Admin > Collection Settings > Config > Config Transport Settings.
The Config Transport Settings dialog box appears.
Step 2 Go to the first drop-down list box, select the application for which you want to define the protocol order.
Step 3 Select a protocol from the Available Protocols pane and click Add.
If you want to remove a protocol, select the protocol and click Remove.
The list of protocols that you have selected appears in the Selected Protocol Order pane. The order of protocols in the Selected Protocol Order pane can be changed using the Up and Down Buttons.
When a configuration fetch or update operation fails, an error message appears. This message displays details about the supported protocol for the particular device and it modules, if there are any.
For the list of supported protocols, see Supported Device Table for Configuration Management application on Cisco.com.
A message appears, New settings saved successfully.
Overview: Common Syslog Collector
Common Syslog Collector (CSC) is a service to receive, filter and forward syslogs to one or more Syslog Servers, thus reducing traffic on the network as well as processing load on the server.
The Common Syslog Collector can be installed on the LMS Server, or on a remote UNIX or Windows machine, to process Syslog messages. You can uninstall the Syslog Collector later if you no longer want to run it on a remote UNIX or Windows server.
Common Syslog Collector is a service that runs independently, listens for syslogs and forwards them to the registered applications after necessary filtering. This way, the parsing/filtering is taken away from the applications and each device sends only one copy of the processed, valid syslogs to the Common Syslog Collector. Although CSC runs independently, it can run either remotely or locally on the machine where an application is running.
The LMS server and the Syslog Collector exchange updates such as status, and filters.
You can configure the service to read syslogs from a specified file. This can be provided in a properties file located at:
NMSROOT /MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/
Collector.properties
NMSROOT% \MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\
Collector.properties
See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the complete details.
In a scenario where the devices and the CSC may run in two different time zones, the syslogs will be marked with timestamp of the CSC if they do not have a timestamp when they are received, or if the format is not correct.
The device considers day-light-saving settings appropriately while putting the timestamps. CSC supports all the time zones that LMS supports, and alternatively you can provide the time zone information. See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the complete details.
After the Syslog Analyzer has been registered with the Collector, it:
- Receives the filters it needs from the LMS server to filter Syslog messages.
- Sends status to the Syslog Analyzer process about the collected Syslog messages upon request from the Analyzer, including the number of messages read, number of messages filtered, and number of messages with bad syntax. It also forwards unfiltered messages to the Syslog Analyzer process.
If the Syslog Analyzer does not send any filters, then the Collector sends all the syslogs to the Analyzer without filtering.
If you restart the LMS server, Syslog Collector will lose communication to the LMS server. Based on the current filters, it continues to filter the syslogs and stores them in a local file:
NMSROOT \MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\ server name_port \DowntimeSyslogs.log
The Syslog Analyzer will automatically restore the connection after LMS server restart.
For the complete instructions on installing the Common Syslog Collector, see the Installing and Migrating to Cisco Prime LAN Management Solution 4.2.
Viewing Status and Subscribing to a Common Syslog Collector
Using the Syslog Collector Status dialog box you can:
- View the status of your Common Syslog Collector (see Viewing Common Syslog Collector Status)
- Subscribe/Unsubscribe a Common Syslog Collector (see Subscribing to a Common Syslog Collector)
- Test Syslog Collector Subscription (see Testing Syslog Collector Subscription)
- Understanding the Syslog Collector Properties File
Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
Viewing Common Syslog Collector Status
To view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to, follow this procedure:
Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
The Collector Status dialog box appears, with this information:
|
|
|
|---|---|
Hostname or the IP address of the host on which the Collector is installed. |
|
Number of filtered messages. Filters are defined with the option Message Filters option (Admin > Network > Notification and Action Settings > Syslog Message Filters, see Defining Syslog Message Filters.) |
|
Click to test a Syslog collector that’s already subscribed or that’s going to be subscribed. |
|
Select the Syslog collector and click Unsubscribe to unsubscribe the Syslog collector. |
If you want to refresh the information in this dialog box, click Update.
If you have restarted the LMS daemon manager, the Syslog Collector Status processes (under Admin > Network > Syslog Collection Settings) may take 6-10 minutes to come up, after the Syslog Analyze processes come up. In this interval you may see the following message:
Collector Status is currently not available.
Check if the SyslogAnalyzer process is running normally.
Wait for the Syslog Collector status process to come up and try again.
To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common Syslog Collector.
Subscribing to a Common Syslog Collector
Before you subscribe to a Common Syslog Collector, ensure these pre-requisites are met:
1. The Self-signed Certificates are valid. For example, check for the expiry date of the certificates on both the servers.
2. The Self-signed Certificates from this server are copied to the Syslog Collector server and vice-versa.
To do this, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. See Setting up Peer Server Certificate for more information.
3. The SyslogCollector process on Syslog Collector server and SyslogAnalyzer process on this server, are restarted after Step 2.
4. Both hosts are reachable by host name.
To subscribe to a Common Syslog Collector:
Step 1 Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
The Collector Status dialog box appears. For the information in the columns in the dialog box, see Viewing Common Syslog Collector Status:
The following message appears:
Self-signed Certificates from this server are copied to the Syslog Collector server and vice-versa. You can perform this operation from Admin > System Administration > Multiserver Management > Peer Server Certificate Setup screen.
2. Syslog Collector process on SyslogCollector server and SyslogAnalyzer process on this server is restarted after step 1.
3. Both hosts are reachable by host name.
The Subscribe Collector dialog box appears.
Step 3 Click OK. Enter the address of the Common Syslog Collector to which you want to subscribe to.
The Syslog Analyzer server is subscribed to the specified Common Syslog Collector.
If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and click the Unsubscribe button.
If you want to test the Syslog collector subscription, select the collector and click Test Collector Subscription. For more information see Testing Syslog Collector Subscription.
Testing Syslog Collector Subscription
You can test the status of the Syslog Collector that you have already subscribed or that you are going to subscribe using the Test Collector Subscription button.
Step 1 Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
Step 2 The Collector Status dialog box appears. For the information on the dialog box, see Viewing Common Syslog Collector Status.
The Test Collector Subscription Status popup window appears, displaying the following status of the Syslog collector:
- SSL certificate status—Status of the SSL Certificates. For example, SSL certificates are valid and are properly imported. For more information see Syslog Collector Subscription Messages.
- Collector status—Status of the Syslog collector. For example, Collector is up and reachable. For more information see Syslog Collector Subscription Messages.
Syslog Collector Subscription Messages
The following table provides the Syslog collector subscription status messages shown when you test the subscription of a Syslog Collector:
Understanding the Syslog Collector Properties File
After installing the Syslog Collector on a remote system, you need to check the Syslog Collector Properties file to ensure that the Collector is configured properly.
The Syslog Collector Properties file is available at this location:
$NMSROOT /MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.properties
%NMSROOT% \MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
The following table describes the Syslog Collector Properties file:
Timezone List Used By Syslog Collector
The timezone of the system where the Syslog Collector is running. In the Syslog Collector Properties file, you must enter the correct abbreviation for the timezone. See Understanding the Syslog Collector Properties File.
For the correct Timezone abbreviation, see the Timezone file in the following location:
$ NMSROOT /MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.lst
Each entry in the TimeZone.lst file represents a timezone abbreviation, and its offset from GMT. Each offset here is 10 multiplied by the actual offset. For example, the actual offset for IST is 5.5 hours, and the corresponding entry here is 55.
You must use the same method while modifying it.
The following is the timezone list used by Syslog Collector:
|
|
||||
|---|---|---|---|---|
Feedback