[rancid] Re: Who made changes?

Mahaffey, Brian bmahaffey at pelco.com
Wed Apr 1 22:00:53 UTC 2009


We utilize Rancid to do backups 1 time per night.  Our NOC is pretty
good at not changing configurations but I understand the need.  You can
modify the cron jobs to run every 1-5 minutes.  We utilize Cisco ACS for
AAA and see every command with accounting enabled on the
switch/router/firewall etc from the reporting in ACS.  We also configure
Archive configuration that sends the commands typed to a syslog & log
buffer just in case you have to troubleshoot you can go step by step
back to fix the problem.  As for passwords, we utilize user accounts and
as they leave we disable their user account, depending on the type of
device.

Example Cisco Config for syslog

archive
  log config
  logging enable
  logging size 500
  notify syslog contenttype plaintext
  hidekeys
 path disk0:/backup.cfg
 maximum 14 (I think this triggers a backup on the configuration change
or a wr mem to the disk0:/backup.cfg)
!
Logging 10.10.10.10
!
Sh log
000282: Mar 13 11:07:06.621 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Brian
logged command:vlan 551
000283: Mar 13 11:07:09.853 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Rod
logged command:name B6-EAC
000284: Mar 13 11:07:11.505 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:John
logged command:exit

Same thing populates our syslog server

Not sure if this will help you.  
-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Geert Jan de
Groot
Sent: Wednesday, April 01, 2009 2:42 PM
To: rancid-discuss at shrubbery.net
Subject: [rancid] Re: Who made changes?

On Tue, 31 Mar 2009 13:07:47 -0500  K K wrote:
> > There is only one thing I want to know: is it possible to show who
made the
> > changes in telnet? 
> If Paul makes one change at noon, then Peter logs in at 4PM and makes
> two more, and then Rancid finally runs at 6PM, you'll get one change
> email, showing the sum of all changes and (usually) showing that Peter
> was the last one to make a change.

At the place where I hope to implement rancid (restrictions are
political, not technical, as usual), the network is set up
in such a way that operators do not have passwords of the devices
they manage. They log in (with their own password) in a subsystem
which, if allowed, will log in the operator automatically.

Advantage is that if persons leave the company, they don't know
passwords
and no passwords need to be changed.

Current line of thought is to have the logout event trigger a rancid run
on the device people just logged into.

Just another thought,

Geert Jan

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

- ------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this transmission is legally privileged and confidential, intended only for the use of the individual(s) or entities named above. This email and any files transmitted with it are the property of Pelco. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you receive this communication in error, please notify us immediately by telephone call to +1-559-292-1981 or forward the e-mail to administrator at pelco.com and then permanently delete the e-mail and destroy all soft and hard copies of the message and any attachments. Thank you for your cooperation. 
- ------------------------------------------------------------------------------


More information about the Rancid-discuss mailing list