Contents |
Unauthorized configuration changes often wreak havoc to the business continuity and hence detecting changes is a crucial task. Detection should be real-time to set things right. Network Configuration Manager provides real-time configuration change detection and this section explains the steps to be done for enabling change detection.
Learn how real-time change detection in Network Configuration Manager helps you to keep in track of all changes.
Many devices generate syslog messages whenever their configuration undergoes a change. By listening to these messages, it is possible to detect any configuration change in the device. Network Configuration Manager leverages this change notification feature of devices to provide real-time change detection and tracking.
This comes in handy for administrators to keep track of the changes being made and to detect any unauthorized changes. By enabling this, you can
You can enable change detection for a single device or for many devices at one go. Change detection can be enabled only for those devices for which you have provided the device credentials.
Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection
Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details
In the UI that opens, select the option "Enable"
Enter the syslog server IP. By default, Network Configuration Manager comes with an in-built syslog server and its IP is filled in the field. If you want to use the default setup, do not change the IP. If you want to make use of forwarded syslog messages, see the instructions below.
In case, you wish to disable the already enabled configuration tracking, you can do so as follows:
Select the device or devices for which you wish to disable change detection
Click "Enable Change Detection" available in the drop-down under "More Actions".
In the UI that opens, click the option "Disable" for the parameter 'Detecting Config Changes through Syslog'
Network Configuration Manager detects changes in real-time through
the syslog messages that are sent directly from the devices that undergo configuration change
and the syslog messages which get forwarded from a common syslog server (complying to RFC 3164 ).
Syslog Forwarder can be configured in such a way that a group of devices send Syslog messages to the forwarder, which in turn would send those messages to Network Configuration Manager instead of all the devices sending the syslog messages to the Network Configuration Manager. Most of the Syslog forwarder tools support various options to filter message at the forwarder level which can be configured to manage the huge message exchange.
While the first case (syslog messages sent by the devices) does not need any configuration to be made, the second option to use forwarded messages requires certain configuration to be done in the Web GUI.
You can provide the list of IPs from where the syslog messages will be forwarded to Network Configuration Manager. The list can be entered in comma separated form as explained below:
Go to "Settings">>"Global Settings">>"Third Party Syslog Server"
In the UI that opens, enter the required forwarder IP addresses in comma separated form and click "Save"
Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection
Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details
In the UI that opens, select the option "Enable"
Select the forwarder IP from the drop-down.
Once you add the required forwarder IPs in Network Configuration Manager, you need to configure the Network Configuration Manager IP and port in the forwarder and enable it to send the syslog messages to Network Configuration Manager.
Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection
Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details
In the UI that opens, select the option "Disable"
Select the forwarder IP to be disabled from the drop-down and click "Save"
Network Configuration Manager captures username and IP address when someone opens a telnet console and directly carries out a configuration change to Cisco devices.
To capture this information, the following conditions are to be satisfied:
Login name should be enabled for cisco switches and routers and
syslog-based change detection has to be enabled (or) information on who changed the configuration should be present in the configuration header
When a user accesses the device via a telnet console and carries out any changes, the username will be captured under the "Changed By" column of the backedup configuration information. The IP address of the user will be printed in the annotation column.
Editing the 'Who Changed' Information
In rare conditions where two users concurrently carry out changes in configuration, it is quite likely that Network Configuration Managerwould receive only one syslog message and the 'who changed' the configuration will depict the name of only one user, while the changes have been done by two. To tackle such scenario, Network Configuration Manager allows the administrator to edit the 'who changed' information and add the name of the other user also. To do this:
Go to the "Inventory" tab and click the required host name to enter the 'Device Details' page
Go to "Device Configuration" section and click the desired configuration (Running/Startup)
Select the required configuration version
Click the link "Edit ChangedBy" available in the drop-down under "Actions"
In the UI that opens, enter the other name in comma separated form and click "Save"
Configuration change tracking can be scheduled through periodic configuration backup tasks. Configuration can be automatically backedup by adding a schedule and configuration versions can be tracked. For more details, refer to the 'Scheduled Tasks' section.
You may sometimes notice the following message in Syslog Configuration for Change Detection: Device(s) not supporting Configuration Detection through Syslog <device1>, <device2>, <device 3> This message is displayed in any of the following scenarios:
|