Your Cisco devices don’t automatically log someone getting into your network and changing your Cisco router and switch configurations. But with a few simple commands, you can configure your Cisco routers and switches to monitor and log configuration changes when they occur. You can set this up on the routers and switches themselves, as well as on your network appliances, such as a LEM appliance. Enabling configuration change monitoring and logging on your Cisco routers and switches lets you know if unauthorized configuration changes occur on your network.
By configuring your Cisco devices to monitor and log changes, you’re telling the devices log every command that changes the router’s or switch’s configuration. (Show commands, for example, are not logged, because they don’t change the router’s configuration.)
Perform the following steps to enable configuration change monitoring on Cisco devices:
- Access the Cisco device via ssh.
- Configure the Cisco device for syslogging to your appliance. See the SolarWinds knowledgebase article Configuring Cisco IOS Routers and Switches to Syslog to Your LEM Appliance for instructions on setting up the device to log to your LEM appliance.
- Configure the Cisco device to monitor configuration changes using the following commands:
- enable
Enters Privilege-Exec mode on the router. Some routers put you in Privilege-Exec mode by default. You can tell if you are there if there is a # next to the router name. For example: routername# instead of <routername>
- configure terminal
Enters Global Configuration Mode. You must enter this mode to make any changes to a router or a switch.
- archive
Enters the archive’s sub menu.
- log config
Goes into the logging configuration sub-mode. This is where you specify the logging options for the running configuration.
- logging enable
Enables logging for the running configuration.
- logging size
Specifies how many logs to keep on the local system. For example the command logging size 200 keeps 200 logs on the cisco device itself as well as sends those logs where you tell it to.
- hidekeys
Enables more secure logging by making sure passwords are not sent in the clear.
- syslog
Sends the log files to syslog.
- end
Sends you back to the Privilege-Exec mode.
