Configure real-time change detection: an example
The Troubleshoot a network issue caused by a network config change section provides an example scenario of a system administrator resolving an alert caused by a config change. If the system administrator had enabled real-time change detection (RTCD), the config change could have been viewed and resolved before the alert was sent. Real-time change detection provides instant notification through email whenever a change occurs to any of your device configurations.
The notification provides log information you can use to quickly determine if a configuration change is the cause of a network problem. This access to real-time visibility of your network helps you improve your network security, prevent unexpected downtime or delays, and resolve known errors faster.
Unlike the Config Change Report, changes are detected only on the same configuration type. For example, if you download a startup configuration, make changes, and then upload it as a running configuration, the changes are compared against the previous running configuration. A comparison is not made between running and startup configuration types.
The following sections walk you through an example of setting up real-time change detection. This example provides configuration steps for:
- Cisco IOS devices
- Orion Log Viewer (OLV) as the syslog server
For information about setting up real-time change detection with other syslog servers or device types, see the NCM Administrator Guide topic Configure real-time change detection in NCM.
Task 1: Configure a Cisco device to send syslog messages
The following example shows how to use a config change template to enable Cisco IOS devices to send syslog messages to the Orion server.
For the purposes of RTCD, SolarWinds recommends configuring Cisco devices to send syslog messages, not trap messages. Cisco devices send trap messages when a user enters config mode, but not when the user exits. RTCD requires that a message be sent when the user exits config mode.
- Click My Dashboards > Network Configuration > Config Change Templates.
Select Enable Syslog - Cisco IOS, and click Define Variables & Run.
Select the device on which you want to enable syslog, and click Next.
Enter the IP address of the Orion server, and select a Severity level.
You can choose any logging severity value.
- Click Next.
- After the system generates the script, you can expand any node to examine the commands. Then click Execute.
Task 2: Enable the RTCD rule in the Orion Log Viewer
In this example, Orion Log Viewer (OLV) is used to listen for syslog messages. OLV includes default rules for Cisco ASA and Cisco IOS devices. When OLV receives a syslog message indicating that a config on a Cisco ASA or Cisco IOS device has changed, the rule runs a program to compare the device's current config with the previously backed-up config. Then it sends an email to notify you of the changes so that you can quickly identify unauthorized changes or misconfigurations.
By default, these rules are not enabled. Complete the following steps to enable them.
If you are using a different syslog server, or you need to configure rules for other device types, see Configure real-time change detection in NCM.
- In the Orion Web Console, click My Dashboard > Logs > Log Viewer.
- In the upper-right corner, click Configure Rules.
Under Processing Policies, expand Syslog. Then click NCM Rule: Realtime Change Notifications.
Descriptions of the default RTCD rules are displayed.
To take action when configs are changed on Cisco IOS devices such as the Tex-3750.aus.lab router, select the Cisco IOS Realtime Change Notifications rule. Optionally, you can also select the Cisco ASA Realtime Change Notifications rule.
- Click Enable Rule.
Task 3: Configure NCM for real-time change detection
After you configure a Cisco device to send syslog messages and enable the rule that is triggered when a config changes, configure SolarWinds NCM for real-time change detection.
- Click Settings > All Settings.
Under Product Specific Settings, click NCM Settings.
Under Real-Time Change Detection, click Configure Real-Time Change Detection.
Enter the log in credentials that syslog will use to access devices:
Click Config Changes.
- On the Config Change page, select Enable these account credentials.
- Enter the account credentials for the devices on which you want to receive real-time change detection emails.
Use the Config Download and Notifications page to select the config type to monitor for change, and specify who gets notified when a change is made:
On the Real-Time Change Detection page, click Config Downloads and Notifications Settings.
In the Monitor this file type field, select Running or Startup.
Under Baseline Config File, select whether you want to compare the changed config against the latest downloaded config or the baseline config.
- Select email notification options, and click Submit.
Use the SMTP Server page to enter the credentials for an SMTP server used for config change approvals, real-time change detection, and running jobs:
On the Real-Time Change Detection page, click NCM SMTP Server.
Enter the email server address and credentials, and click Submit.
On the Real-Time Change Detection page, click Enable and then click Submit.
The real-time change detection page lists the required steps to configure real-time change detection. We have already completed the first two steps, so you can begin at step 3.