Have you ever been configuring an alert and seen these options for NCM, but wished there was also an option to run compliance reports?
There is a feature request here:, but who wants to wait? Thanks to the amazing skills of zackm, KMSigma and tdanner , we've uncovered a way for Powershell to kindly ask the SWIS API to trigger a compliance report update, which can in-turn trigger remediation actions. My specific use case is for SIP configurations on a Cisco ISR. Sometimes (but not always) after a reboot, the bind commands will mysteriously drop off of the startup config. With this new alert NPM and NCM automatically detect the reboot, take a new backup of the post-reboot running config, and update the compliance report in order to potentially trigger a remediation action that reconfigures the missing commands. Here's the how-to:
1. Download and install the Orion SDK
2. Open Powershell and type
Add-PSSnapin SWISsnapin
3. Ask the API for a list of Compliance Reports, and note the PolicyReportID for the report you want to update. Be sure to change the keyword in order to make finding the report easier.
Get-SwisData -SwisConnection $Swis -Query "SELECT PolicyReportID, Name, Comment, Grouping, ShowDetails, ShowSummary, LastModified, LastUpdated, LastError, CacheStatus, ReportStatus FROM Cirrus.PolicyReports WHERE Name LIKE '%keyword%'"
4. Whip up a new Powershell script and paste this in. The local SW account needs access to modify NCM reports. Again, massive thank you to zackm, KMSigma and tdanner for doing the heavy lifting here.
Add-PSSnapin swissnapin
$PolicyReportID = "ID_GOES_HERE"
$swis = connect-swis -hostname SERVER -UserName LOCAL_SW_ACCOUNT -Password PASS
$reports = New-Object 'System.Collections.Generic.List[String]'
$reports.Add($PolicyReportID)
Invoke-SwisVerb -SwisConnection $Swis -EntityName Cirrus.PolicyReports -Verb StartCaching @( , $reports )
5. Create an alert in Orion with the following parameters:
- Trigger condition: Whatever you want. For my use case I used "Last Boot has Changed (Node Event)" to detect a device reboot.
- Reset condition: Reset this alert automatically after 5 minutes.
- Trigger actions:
Escalation level 1 - Execute an NCM action to backup the running/startup config
Wait 1 minute
Escalation level 2 - Execute an external program, specify a user account as needed: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NoProfile -File Path\to\script.ps1
That's it! Whenever the alert fires, NCM will take a new config backup and run your chosen compliance report against it. The report can include remediation to make changes as needed, just make sure it's comparing against the same config type we specified in the 1st alert escalation level (running/startup/etc). Now bask in the glory of a self-healing network, you've just automated something new!