18 Replies Latest reply on Oct 22, 2015 10:53 AM by Craig Norborg

    Automated Config clean up

    rmothersbaugh

      I am trying to clean up my switch configurations. There are a lot of old outdated ntp servers and snmp trap servers and other stale info with in the configuration. I have been trying to find a way to remove all of these old server then run a script to only have the correct ones. Any ideas or do I need to go through each device and remove them individually ? I wouldnt mind if the new server was list and got removed.

       

      Example would be:

       

      ntp server 1.1.1.1

      ntp server 1.2.2.2

      ntp server 3.3.3.3

       

      runs the following

       

      no ntp server 1.1.1.1

      no ntp server 1.2.2.2

      no ntp server 3.3.3.3    --- This is fine if it does this.

      ntp server 3.3.3.3

        • Re: Automoted Config clean up
          wluther

          rmothersbaugh

          I would recommend starting with a compliance policy/report.

          This will tell you which devices contain, or do not contain, a specific, user specified, string.

          From there, you can create a "Fix" to be applied to the devices when found.

           

          Give me a few minutes, and I will find you some links to some examples.

           

          -Will

            • Re: Automoted Config clean up
              rmothersbaugh

              I am doing them but I dont see a way to remove the old ones with gathering the info from the configuration. I mean I can go through and grab all the server ip address and just make a single script. But i was hoping to do it automatically just in case a person makes a change it would run the policy and remove the added server only.

                • Re: Automoted Config clean up
                  wluther

                  rmothersbaugh

                  do you have a list of the other, possible, ntp servers, or are you thinking they could just be anything?

                  If you have a list of known ntp servers that you do not want to use, then you could create a separate rule for each each server, and then put all of those rules into the same report.

                  You could then assign a corrective action to those rules that would remove each one, if found.

                   

                  Example:

                  Rule ntpserver1:

                  looks for this line in the config

                  ntp server 1.1.1.1

                  and, if found, performs this corrective action to remove it

                  no ntp server 1.1.1.1

                   

                  Rule ntpserver2:

                  looks for this line in the config

                  ntp server 1.2.2.2

                  and, if found, performs this corrective action to remove it

                  no ntp server 1.2.2.2

                   

                  Rule ntpserver3:

                  looks for this line in the config

                  ntp server 3.3.3.3

                  and, if NOT found, performs this corrective action to add it

                  ntp server 3.3.3.3

                   

                   

                  Or, can you just run a script on all of the switches, through the "Configuration Management" section under the NCM tab, that would just "no ntp server", then "ntp server 3.3.3.3"?

                   

                  How about changing the rule to include a block of text from the config, matching it on the lines before and after "ntp server 3.3.3.3".

                  This way if it matches the config, you know you only have the 1 entry.

                  Otherwise, if it doesn't match, and you need it to cover possible ntp servers you may not be aware of, it simply removes everything, and only re-adds the one you need.

                   

                  As another example, if this is how all of your devices/configs should look, then anything with more than those 3 lines, regardless of server IP, would trigger the policy violation, and then you could remediate with your "no ntp"/"ntp server 3.3.3.3" script.

                  !

                  ntp clock-period 36029396

                  ntp server 3.3.3.3

                  end

                   

                   

                  I hope I am not too far off base on this with you, but I do know I am not the best explainer.

                   

                   

                  -Will

              • Re: Automoted Config clean up
                Craig Norborg

                I believe I know what you mean, that you want to remove any other NTP server than the one you want defined, regardless of it's IP address.   So you don't have an actual list of them sitting there of what other NTP servers there are...

                 

                I have a bit of a hack based on the newest NCM that can work for you.  This is how you set it up.

                 

                In the "STRING MATCHING" section configure it as follows with the IP address of the NTP server you want to be set...

                 

                StringMatching.jpg

                 

                Then, in the "search config file/block" set it up as follows, the "config block end" could probably be "^.*" also (ie: ANYTHING), we are mainly interested in setting the start of the config block to be the line that contains the specific NTP server on that specific line.  More on that below...

                 

                ConfigBlock.jpg

                 

                Now for the magic / hack.   Set your remediation script as follows:

                 

                remediation.jpg

                 

                 

                The first line is doing a "no" of the "ConfigBlock" start line I mentioned above, which will be set to any NTP server that you DON'T want.   It will ignore the NTP server you do want.   The second line is optional, setting the NTP server that you do want.   If you just want to remove unwanted NTP servers the first line will suffice.

                 

                The one drawback of this is if no NTP server is defined at all, the config will be in compliance, you will need another rule to make sure the NTP server you want is defined, but that's quite simple.

                 

                This is kind of hacking the new ability to run your script on each config block that is in violation a bit, this feature was never intended to work this way.  But my devious mind wanted this for the ability to do things like remove unwanted SNMP communities and such.  So, no promise it will always work, but I believe it should work at least in the present.  Let me know your results and TEST first on a small subset of devices!!!

                 

                Any relation to Mark?  :-)  

                 

                HTH!!

                 

                    "I'm just working in the coal mines..."

                1 of 1 people found this helpful
                  • Re: Automoted Config clean up
                    cvachovecj

                    Hmm, interesting use case for the block inspection. I'm curious to see if it works.

                     

                    Jiri

                      • Re: Automoted Config clean up
                        wluther

                        cvachovecj

                        cnorborg usually seems to know what he is talking about, at least all of the times he has helped me. If he says it works, I would bet it does.

                        Seems like this could be a useful tool, whether intended or not. Maybe SolarWinds can implement it into the system as its own feature/purpose.

                          • Re: Automoted Config clean up
                            cvachovecj

                            Of course cnorborg knows what he is talking about. (I nominated him for the MVP status as a recognition.) I appreciate that he found a use case that I didn't have in mind when we implemented this enhancement.

                            What I meant by being curious if it works is the fact that sometimes, configs contain different kinds of whitespace, so tuning a regex rule so that it works unviversally may need some playing around.

                             

                            Jiri

                              • Re: Automoted Config clean up
                                wluther

                                cvachovecj

                                Then it is settled. cnorborg is hired!

                                Now, with Jiri & Craig teamed up, the NCM team is unstoppable...

                                 

                                Yeah, I know what you meant, I was just messing around. But, it is really cool that a user can find a new, and unintended, way to use a tool, and then the staff just comes right on board to investigate the potential. Soooooooo much better than taking months and years to lobby for this and that with other vendors, just to get them to start looking...

                                 

                                -Will

                                  • Re: Automoted Config clean up
                                    cvachovecj

                                    Actually we hired quite a few customers and typically, they were very active on thwack.

                                    • Re: Automoted Config clean up
                                      Craig Norborg

                                       

                                       

                                      Well, thanks for the votes of confidence guys!!  This "feature" is actually one I've wanted for quite some time, not necessarily for NTP servers, but for SNMP communities and such.

                                       

                                      As an FYI - this actually does work, I'm using it.  But, especially when I'm telling someone to basically hack the way the system is working, I like to give disclaimers!!  Definitely need to be careful when doing things globally based off regular expressions...

                                       

                                      Yea, my first post on this subject was way back in Oct 2006 I think (Is is possible?), and I asked another similar question in Feb 2011 (Policy Manager - Is there a way to...) from which fcaron supposedly created an "enhancement" #46497.   I assume this was the predecessor to voting on feature enhancements?  Maybe I should go put one in...

                                    • Re: Automoted Config clean up
                                      Craig Norborg

                                      Hmm... I found a use case where my solution doesn't work cvachovecj  Was trying to weed out unknown SNMP communities on routers of a company we just merged with.   I modified this to look for "^snmp-server community .*" instead of the NTP.   Had it look for either community in the config block and ran it.   Worked for most of the communities on my test router, except for one.   Tried a couple different things and couldn't get it to work.   I end up with in the config:

                                       

                                      !  1- unrelated config lines.

                                      snmp-server community badcommunity RO

                                      snmp-server community validcommunity1 RO

                                      snmp-server community validcommunity2 RW

                                      ! 2 - unrelated config lines

                                       

                                      What I think is happening is that a config block has to be at least 2 lines, not sure if this part is true or not.  So, I have it starting with "^snmp-server community" and ending with basically anything (ie: ".*", have tried a couple things).  So, I'm thinking it iterates through 3 blocks.  The first one starting with "snmp-server community badcommunity" and ending with the next line (snmp-server community validcommunity1").   Now, since I'm looking for "snmp-server community validcommunity1" in the config block and its there, this passes (even though I don't want it to).   The next 2 times it iterates through, it uses the other snmp-server community lines as start lines and the next lines as stop, and they also pass.

                                       

                                      So, the problem is that I really only want to look at one line in the config, not 2.  But I don't think I can get a config-block to be only one line.   Hmm..   You know there are probably a couple other things to try, if any of them work I'll post here...  But, as of now I don't think this will work.

                                       

                                      However,  I am sure you can see the way that we NEED this ability, and I'd preferably have it done in a way that isn't kind of "hacking" the server!!

                                       

                                      Thoughts?!   (I will let you know if any of my other potential hacks work, I don't expect them to)...

                                • Re: Automoted Config clean up
                                  rmothersbaugh

                                  WORKED LIKE A CHAMP

                                   

                                  you have made my life much easier thanks

                                   

                                  Thanks