Your Cisco devices don’t automatically log someone getting into your network and changing your Cisco router and switch configurations. But with a few simple commands, you can configure your Cisco routers and switches to monitor and log configuration changes when they occur. You can set this up on the routers and switches themselves, as well as on your network appliances, such as a LEM appliance. Enabling configuration change monitoring and logging on your Cisco routers and switches lets you know if unauthorized configuration changes occur on your network.

 

By configuring your Cisco devices to monitor and log changes, you’re telling the devices log every command that changes the router’s or switch’s configuration. (Show commands, for example, are not logged, because they don’t change the router’s configuration.)

 

Perform the following steps to enable configuration change monitoring on Cisco devices:

 

  1. Access the Cisco device via ssh.
  2. Configure the Cisco device for syslogging to your appliance. See the SolarWinds knowledgebase article Configuring Cisco IOS Routers and Switches to Syslog to Your LEM Appliance for instructions on setting up the device to log to your LEM appliance.
  3. Configure the Cisco device to monitor configuration changes using the following commands:
    • enable
      Enters Privilege-Exec mode on the router. Some routers put you in Privilege-Exec mode by default. You can tell if you are there if there is a # next to the router name. For example: routername# instead of <routername>


    • configure terminal
      Enters Global Configuration Mode. You must enter this mode to make any changes to a router or a switch.


    • archive
      Enters the archive’s sub menu.


    • log config
      Goes into the logging configuration sub-mode. This is where you specify the logging options for the running configuration.


    • logging enable
      Enables logging for the running configuration.


    • logging size
      Specifies how many logs to keep on the local system. For example the command logging size 200 keeps 200 logs on the cisco device itself as well as sends those logs where you tell it to.


    • hidekeys
      Enables more secure logging by making sure passwords are not sent in the clear.

 

    • syslog
      Sends the log files to syslog.

 

    • end
      Sends you back to the Privilege-Exec mode.