Real-time Configuration Change Detection

Contents

Overview

Unauthorized configuration changes often wreak havoc to the business continuity and hence detecting changes is a crucial task. Detection should be real-time to set things right. Network Configuration Manager provides real-time configuration change detection and this section explains the steps to be done for enabling change detection.

 Learn how real-time change detection in Network Configuration Manager helps you to keep in track of all changes.

How does real-time change detection work?

Many devices generate syslog messages whenever their configuration undergoes a change. By listening to these messages, it is possible to detect any configuration change in the device. Network Configuration Manager leverages this change notification feature of devices to provide real-time change detection and tracking.

 

How does real-time detection benefit me?

This comes in handy for administrators to keep track of the changes being made and to detect any unauthorized changes. By enabling this, you can

  1. Capture configuration as and when changes happen
  2. Get real-time notifications on change detection
  3. Find information on who carried out the change and from where (the IP address)
  4. Detect unauthorized changes on real-time

 

How do I enable real-time change detection?

You can enable change detection for a single device or for many devices at one go. Change detection can be enabled only for those devices for which you have provided the device credentials.

To detect configuration changes through syslog,

  1. Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection

  2. Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details

  3. In the UI that opens, select the option "Enable"

  4. Enter the syslog server IP. By default, Network Configuration Manager comes with an in-built syslog server and its IP is filled in the field. If you want to use the default setup, do not change the IP. If you want to make use of forwarded syslog messages, see the instructions below.

To disable configuration change detection,

In case, you wish to disable the already enabled configuration tracking, you can do so as follows:

  1. Select the device or devices for which you wish to disable change detection

  2. Click "Enable Change Detection" available in the drop-down under "More Actions".

  3. In the UI that opens, click the option "Disable" for the parameter 'Detecting Config Changes through Syslog'

 

Listening to forwarded Syslog messages

Network Configuration Manager detects changes in real-time through

  1. the syslog messages that are sent directly from the devices that undergo configuration change

  2. and the syslog messages which get forwarded from a common syslog server (complying to RFC 3164 ).


Syslog Forwarder can be configured in such a way that a group of devices send Syslog messages to the forwarder, which in turn would send those messages to Network Configuration Manager instead of all the devices sending the syslog messages to the Network Configuration Manager. Most of the Syslog forwarder tools support various options to filter message at the forwarder level which can be configured to manage the huge message exchange.


While the first case (syslog messages sent by the devices) does not need any configuration to be made, the second option to use forwarded messages requires certain configuration to be done in the Web GUI.

 

Providing Syslog forwarder IPs in Network Configuration Manager

You can provide the list of IPs from where the syslog messages will be forwarded to Network Configuration Manager. The list can be entered in comma separated form as explained below:

  1. Go to "Settings">>"Global Settings">>"Third Party Syslog Server"

  2. In the UI that opens, enter the required forwarder IP addresses in comma separated form and click "Save"

Enabling forwarder IP for change detection

  1. Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection

  2. Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details

  3. In the UI that opens, select the option "Enable"

  4. Select the forwarder IP from the drop-down.

 

Settings to be made in the forwarder

Once you add the required forwarder IPs in Network Configuration Manager, you need to configure the Network Configuration Manager IP and port in the forwarder and enable it to send the syslog messages to Network Configuration Manager.

 

Disabling forwarder IP for change detection

  1. Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection

  2. Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details

  3. In the UI that opens, select the option "Disable"

  4. Select the forwarder IP to be disabled from the drop-down and click "Save"

 

How do I capture information on 'who changed' the configuration?

Network Configuration Manager captures username and IP address when someone opens a telnet console and directly carries out a configuration change to Cisco devices.

To capture this information, the following conditions are to be satisfied:

  • Login name should be enabled for cisco switches and routers and

  • syslog-based change detection has to be enabled (or) information on who changed the configuration should be present in the configuration header
     

When a user accesses the device via a telnet console and carries out any changes, the username will be captured under the "Changed By" column of the backedup configuration information. The IP address of the user will be printed in the annotation column.

 

Editing the 'Who Changed' Information

In rare conditions where two users concurrently carry out changes in configuration, it is quite likely that Network Configuration Managerwould receive only one syslog message and the 'who changed' the configuration will depict the name of only one user, while the changes have been done by two. To tackle such scenario, Network Configuration Manager allows the administrator to edit the 'who changed' information and add the name of the other user also. To do this:

 

  1. Go to the "Inventory" tab and click the required host name to enter the 'Device Details' page

  2. Go to "Device Configuration" section and click the desired configuration (Running/Startup)

  3. Select the required configuration version

  4. Click the link "Edit ChangedBy" available in the drop-down under "Actions"

  5. In the UI that opens, enter the other name in comma separated form and click "Save"

 

Automated Change Detection through Schedules

Configuration change tracking can be scheduled through periodic configuration backup tasks. Configuration can be automatically backedup by adding a schedule and configuration versions can be tracked. For more details, refer to the 'Scheduled Tasks' section.

 

Troubleshooting Tips

 

Important Note

You may sometimes notice the following message in Syslog Configuration for Change Detection:

Device(s) not supporting Configuration Detection through Syslog

<device1>, <device2>, <device 3>

This message is displayed in any of the following scenarios:

  • Device does not generate syslog messages; so syslog-based change detection is not possible

  • Device generates syslog messages for configuration change events but Network Configuration Manager has not yet added change detection support for this device. If this is the case, contact ncm-support@manageengine.com

  • In the case of Cisco IOS routers and switches, if SNMP protocol is used for communicating with the device, auto configuration for "syslog based change detection" is not supported. In such a case, you need to manually configure the router/switch to forward syslog messages to the Network Configuration Manager syslog server. Change Detection will then be enabled. Alternatively, you can choose Telnet as the protocol for communication

 

 

 

Was this article helpful?