cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

Help with regular expressions and config change reports

Jump to solution

I could use some help with creating a regular expression that the config change report ignores during it's comparison.  Basically, I have Cirrus comparing the most recent config downloaded with the latest baseline.  The problem is that the running configuration of my cisco devices has the crypto key listed in the config, and in the startup, the crypto key doesn't exist.  I would like to exclude this section from even being compared, but my regular expression knowledge is severely lacking.  I'm guessing there is a way for me to exclude the following:


crypto ca certificate chain TP-self-signed-1667691779
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31363637 36393137 3739301E 170D3036 30383036 31303234
  35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36363736
  39313737 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B4CA F3563FC5 43010A48 B075619E A7DE4790 AF982EF5 5402B501 207DB313
  67C78E80 CCD4CBA7 D2214222 055D8CBF A676A6A3 64C0B6C2 2247D76C C4C60202
  EFCA453E 5848D707 16D2940D C7384BBE 6BA52028 5F1CD47F C66CFD7B EF51188D
  8AF9B9E9 D4DFB645 1D36E2B0 1D2B6BDE CF00F2FB 149AA487 7CF2FD66 74A4D032
  CDFB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14797F79 CD395C9D 9BBBF477 BE2CB863 2BD9D2B3 DA301D06
  03551D0E 04160414 797F79CD 395C9D9B BBF477BE 2CB8632B D9D2B3DA 300D0609
  2A864886 F70D0101 04050003 8181007B 9EB45922 73A18372 A31736D2 DA9089FD
  760DE6D1 0B50007E 05BA8328 D8A48A76 5B68D3EE 69BA29BD 89D63CE8 6BEF5ECE
  05DC7804 FAE7DA90 716CB0C5 40BBCB21 8BFDE99D AF3E4D35 796BFA05 FF5F3000
  78368944 B9BA15C8 F017126D 7AF337D0 88F38689 57F73A18 7509491A F3060E3A
  D0F1BCE8 4C110ECF 9A016242 7758E3
  quit


Is there a way to exclude everything to "quit" and what would it look like?  Any help would be appreciated.


2 Solutions

For those of you still experiencing this issue, please try adding the following lines to your comparison exclusion criteria.  If these work for you, please let us know by posting a 'yeehaw!' in your response.

Ignoring crypto lines:
^[ \t\r\n\v\f]*crypto.*certificate

Ignoring certificate line:
^[ \t\r\n\v\f]*certificate[ \t\r\n\v\f]*self-signed

Ignoring hex data:
^[ \t\r\n\v\f]*[A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9]

Ignoring quit word line:
^[ \t\r\n\v\f]*quit[ \t\r\n\v\f]*

View solution in original post

0 Kudos
Level 11

for those still having problems, I am currently running NCM 7.0.1 and in order to get our config change reports to omit the cert lines we had to remove the ^ character from the regex expression.

View solution in original post

58 Replies
Level 9

WOW!!!  Thanks.  I have been skimming too much and finally saw remove the ^.  Very Much Appreciated!!!

0 Kudos
Level 8

I know this is an old post but I just found it looking for where I can edit the command that gets the running config.  And, I am having a problem with a startup/running config conflict based on the cert info being present in the running config.

As someone said above, 'show running-config brief' or 'sh run br' wll show the running config minus the certificate info.  Hopefully, this will match your startup config and prevent those false positives.

Now I just need to workout where to change that command in Solarwinds!

You would change that in the device template and make sure you change the download method.

0 Kudos

Tim,

    I've been attempting to modify the Config file to fix the Running Config vs Startup Config conflict but I keep getting Connectivity issues discarding Config file.device IP:XXX.XXX.XXX.XXX.

I've copied my original file data with the modified file data..

0 Kudos
Level 11

for those still having problems, I am currently running NCM 7.0.1 and in order to get our config change reports to omit the cert lines we had to remove the ^ character from the regex expression.

View solution in original post

NCM 7.1 and removing the carot (^) from the beginning of the regex expression worked for me too.

0 Kudos

I have done extensive testing and found the following:

Return line and end of line characters are not even being parsed so they can be excluded. (whether at the beginning or end of your regex).

Hex can be defined as [A-F0-9{8}], however if you try to match more than 2 variables with this regex, it will break (probably a bug) so you can simply use [A-F0-9{8}]+ for the certificate hex.

As well to further explain the pattern matching, if the line says for example "Hello how are you" and you created a regex, "el" that line would be excluded in entirety.  This does not exclude the section though, a section is all the lines between exclamation points.  If you have any line without any pattern that matches the whole section gets flagged as changed.  This is explained on the linked page previously noted.

So for pattern matching, be as specific as possible if you do not want false exclusions and want proper reporting.  The issue with the Hex pattern above is something I have already opened a ticket on.

If you want to properly test your regex's edit 2 configs.  In  the first just create 2 lines with "!". In the second create 2 lines with "!" and put the line you want to test your regex against in between them.  This will allow you to highlight the two edited configs in NCM created a regex and compare.

I hope this helps so that people can start creating better regexs and get the issues I have found during testing addressed.

Also, here are my cert regex's that work and aren't wild blasts that may or may not work, these are specific to certs:

^ntp clock-period

^wlccp ap username cisco

crypto

self[-]*signed

[A-F0-9{8}]+

^ pre-shared-key

quit

revocation-check none

rsakeypair

serial-number

^!

This should fix your cert issues on all devices and resolve inconsistencies.  However, do not blame me if you get improper reporting as you should be creating more specific regex's than what I have just provided.]

Lastly, it also looks *like* the regex's are not even case sensitive if you are not using brackets.  ie, serial-number and Serial-Number would both match the same config lines.

0 Kudos

I haven't visited this in a while but when adding: [A-F0-9{8}]+  this broke bandwidth 1536 etc lines from being recognized as a config change.

So going back to comparison criteria, I was "told" that it uses VB6 processing engine for the REGEX and is not consistent with the new .net engine that NCM Compliance Rules use.  I am dismayed by the inconsistency within the product and the fact that features exist that cannot possibly be used in a production environment.

I have since disabled the criteria exemptions until Solarwinds fixes the tool.

0 Kudos

Hello, we ARE running v5.1 of NCM, and unfortunately it appears as though this issue still has not been addressed natively.

I have not yet tried the multi-line reg exp in 5.1 (has anyone? or can solarwinds confirm it is now supported?)

Having compared the outputs of "show run" vs "show run brief" i can see that solution will work (thanks to poster!) but im worried as code versions progress etc this may leave out information that we may want in a backup.... so this solution, is less than ideal.

Any odfical comment from solarwinds ?

cheers

Keiran.

0 Kudos

Multi-line reg exp is not supported in 5.1 comparison criteria exclusions.   The specific thing we fixed in 5.1 was ignoring changes to the certificate crypto string (see start of this thread).

If this isn't working for you, please open a support ticket as there may be something different about your configuration.

0 Kudos

For those of you still experiencing this issue, please try adding the following lines to your comparison exclusion criteria.  If these work for you, please let us know by posting a 'yeehaw!' in your response.

Ignoring crypto lines:
^[ \t\r\n\v\f]*crypto.*certificate

Ignoring certificate line:
^[ \t\r\n\v\f]*certificate[ \t\r\n\v\f]*self-signed

Ignoring hex data:
^[ \t\r\n\v\f]*[A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9]

Ignoring quit word line:
^[ \t\r\n\v\f]*quit[ \t\r\n\v\f]*

View solution in original post

0 Kudos

Yeehaw!....sort of.

Thanks Chris.  The exclusion criteria worked within the NCM UI comparing the latest downloaded running config to the latest baseline (startup) ignoring the certificate info as expected.

 

BUT...the node's I've tested against are still listed in the NCM Web-UI as conflicting.

0 Kudos

I opened a ticket on the UI showing as conflicting on the pie chart.  I was told that this was expected behaivor as the exclusion criteria were not used in the report.  I suggested that it wasn't very helpful for the report not to include the exclusions as it would be easy to fool the interface into thinking something changed when nothing important did.

0 Kudos

Try running the download job again. This will cause all configs to be updated and the config cache to be refreshed with updated comparisons (based on the new exclusion list).

Because these graphs are based on cached information from config comparison when the configs are downloaded. So you need to download configs for all devices in turn updating the cache, hopefully updating the charts.

0 Kudos

Thanks Sham.  The job will run again tonight, so I'll report back tomorrow on the status of the cache.

0 Kudos

Hey guys, from my experience you also have to be very careful with the timeframe over which your graph is plotting data from. Ie if you fix a problem with compares on a thursday day... but you have a 7 day window on your graph, your changes wont reflect in the graph until next thursday as its still plotting data covering configs that are incorrect... (or you can change your window to 1 day which is waht i did). I found this a little counter intuative, and may want to be addressed in future versions to make this more obvious? 

cheers, Keiran.

0 Kudos

I'm already looking at "today" as the filter for the baseline v running graph.  It still hasn't cought up properly.

The job has run every night now since last week, the WebUI graph is still showing about 40% conflicts.

0 Kudos

Do you keep all your config downloads or do you only keep them if changed?  We have ours set to only keep if changed.  For the report to look normal, I basically had to set it as close to "forever" as I could get it.  When the graph is generated it looks for configs in the timeframe.  If you have your configs to only be saved on changes and the last change was made outside of the charting window, you won't see those configs included.

It seems really backwards the way it is implemented.

0 Kudos

This point is KEY; I have it configured to "Only save Configs that have changed", and with the graph set to 7 days I was getting 100% mismatch report over my 50+ devices.

I'll test it by removing this check box in the download job config.

0 Kudos

I read in another indirectly related thread that the graphs don't consider the comparison criteria when generating the startup v running config graph.  Is this true?  if so, how do we overcome the challenges of the startup configs including items that running configs do not? (e.g. ASA's asdm location lines within a startup config.)

0 Kudos