DeviceExpert Home | Online Demo

Real-time Configuration Change Detection

Contents

Overview

Unauthorized configuration changes often wreak havoc to the business continuity and hence detecting changes is a crucial task. Detection should be real-time to set things right. DeviceExpert provides real-time configuration change detection and this section explains the steps to be done for enabling change detection.

How does real-time change detection work?

Many devices generate syslog messages whenever their configuration undergoes a change. By listening to these messages, it is possible to detect any configuration change in the device. DeviceExpert leverages this change notification feature of devices to provide real-time change detection and tracking.

How does real-time detection benefit me?

This comes in handy for administrators to keep track of the changes being made and to detect any unauthorized changes. By enabling this, you can
 

How do I enable real-time change detection?

You can enable change detection for a single device or for many devices at one go. Change detection can be enabled only for those devices for which you have provided the device credentials.

To detect configuration changes through syslog,

    1. Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection

    2. Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details

    3. In the UI that opens, select the option "Enable"

    4. Enter the syslog server IP. By default, DeviceExpert comes with an in-built syslog server and its IP is filled in the field. If you want to use the default setup, do not change the IP. If you want to make use of forwarded syslog messages, see the instructions below.

To disable configuration change detection,

In case, you wish to disable the already enabled configuration tracking, you can do so as follows:

 

    1. Select the device or devices for which you wish to disable change detection

    2. Click "Enable Change Detection" available in the drop-down under "More Actions".

    3. In the UI that opens, click the option "Disable" for the parameter 'Detecting Config Changes through Syslog'

 

Listening to forwarded Syslog messages

DeviceExpert detects changes in real-time through

 

  1. the syslog messages that are sent directly from the devices that undergo configuration change

  2. and the syslog messages which get forwarded from a common syslog server (complying to RFC 3164 ).

 

Syslog Forwarder can be configured in such a way that a group of devices send Syslog messages to the forwarder, which in turn would send those messages to DeviceExpert instead of all the devices sending the syslog messages to the DeviceExpert. Most of the Syslog forwarder tools support various options to filter message at the forwarder level which can be configured to manage the huge message exchange.

 

While the first case (syslog messages sent by the devices) does not need any configuration to be made, the second option to use forwarded messages requires certain configuration to be done in the Web GUI.

Providing Syslog forwarder IPs in DeviceExpert

You can provide the list of IPs from where the syslog messages will be forwarded to DeviceExpert. The list can be entered in comma separated form as explained below:

 

  1. Go to Admin >> General Settings and click "Syslog Forwarder Settings"

  2. In the UI that opens, enter the required forwarder IP addresses in comma separated form and click "Save"

Enabling forwarder IP for change detection

  1. Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection

  2. Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details

  3. In the UI that opens, select the option "Enable"

  4. Select the forwarder IP from the drop-down.

Settings to be made in the forwarder

Once you add the required forwarder IPs in DeviceExpert, you need to configure the DeviceExpert IP and port in the forwarder and enable it to send the syslog messages to DeviceExpert.

Disabling forwarder IP for change detection

  1. Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection

  2. Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details

  3. In the UI that opens, select the option "Disable"

  4. Select the forwarder IP to be disabled from the drop-down and click "Save"

 

How do I capture information on 'who changed' the configuration?

DeviceExpert captures username and IP address when someone opens a telnet console and directly carries out a configuration change to Cisco devices.
 

To capture this information, the following conditions are to be satisfied:
 

When a user accesses the device via a telnet console and carries out any changes, the username will be captured under the "Changed By" column of the backedup configuration information. The IP address of the user will be printed in the annotation column.

 

Editing the 'Who Changed' Information

 

In rare conditions where two users concurrently carry out changes in configuration, it is quite likely that DeviceExpert would receive only one syslog message and the 'who changed' the configuration will depict the name of only one user, while the changes have been done by two. To tackle such scenario, DeviceExpert allows the administrator to edit the 'who changed' information and add the name of the other user also. To do this:

 

 

Automated Change Detection through Schedules

Configuration change tracking can be scheduled through periodic configuration backup tasks. Configuration can be automatically backedup by adding a schedule and configuration versions can be tracked. For more details, refer to the 'Scheduled Tasks' section.

Troubleshooting Tips

 

Important Note

 

You may sometimes notice the following message in Syslog Configuration for Change Detection:

 

Device(s) not supporting Configuration Detection through Syslog

<device1>, <device2>, <device 3>

 

This message is displayed in any of the following scenarios:

 

  • Device does not generate syslog messages; so syslog-based change detection is not possible

  • Device generates syslog messages for configuration change events but DeviceExpert has not yet added change detection support for this device. If this is the case, contact support@deviceexpert.com

  • In the case of Cisco IOS routers and switches, if SNMP protocol is used for communicating with the device, auto configuration for "syslog based change detection" is not supported. In such a case, you need to manually configure the router/switch to forward syslog messages to the DeviceExpert syslog server. Change Detection will then be enabled. Alternatively, you can choose Telnet as the protocol for communication

 


© 2005-2007, ZOHO Corp. All Rights Reserved.