5 Replies Latest reply on Dec 15, 2017 9:40 AM by sja

    NCM Report Auditor Report for Conf T

    spyfly

      We are looking to write an auditor report that will show anytime a user uses conf t and/or write mem. We would like the report to collect all any such commands for the previous day and the report would be emailed around 8am.

       

      What would be the best way to handle this? I am assuming that this could be done as we are using Real-Time Config Change Detection

       

      Thanks in advance

        • Re: NCM Report Auditor Report for Conf T
          wluther

          spyfly Yes, you can use the real-time change notification tool to flag the entry, or you might just be able to set your syslog to tag/classify those messages into a similar group. Once they are tagged, you should be able to generate a daily report that shows them. Different devices may send that message differently, but if your syslog rule is just looking for that text in the body, it should work pretty easily. Sounds like you already have the plan figured out, just need to create a rule and a report.

           

           

          Thank you,

           

          -Will

            • Re: NCM Report Auditor Report for Conf T
              wluther

              spyfly As long as the syslog message is getting to your server... Create a new report, add content, group by type, choose "Syslog", choose "Last XX Syslog Messages". Edit resource, select "Yesterday" from the time frame drop down. Use a filter similar to "(Message Like '*conf t*') OR (Message Like '*write mem*')", and your report should show all of your messages, from the previous day, that match the filter. (You may want to tag the message, insert a unique ID, or base the filter on something more specific to that message. If someone only uses "wr", then that message would not qualify on your filter of "write mem"...)

               

               

              Thank you,

               

              -Will

            • Re: NCM Report Auditor Report for Conf T
              spyfly

              wluther I am not sure with the Syslog report if I can get what I need the report will need to have the following headers

               

               

              Date     Time     User Name(user that made the change)     Node IP Address     Node Name     Command Ran

               

               

              I was hoping there was an out of the box report for NCM that I could modify but it appears most of the NCM Reports are built around configurations and not around commands.