This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Filtering for incorrect logging hosts

I've been setting up a bunch of compliance reporting as of late and, while I now have a rule that looks for the correct logging servers, I would also like to have one that looks for any other logging servers that might be setup.

I've been banging away at it for a while now, but I just don't seem to have found a filter that doesn't either fail everything or pass everything...

Here's what I've got at the moment:

------------------------------------

Match if String is Found

Must NOT Contain String: logging host x.x.x.x

Must NOT Contain String: logging host y.y.y.y

Must NOT Contain String: logging host z.z.z.z

Must Contain String: logging host


All four are "AND" with no use of parenthesis.

------------------------------------


This ALWAYS comes through as a "Pass," even if there is a fourth logging host that is NOT one of those other three.  I have tried a variety of regex variations, but it seems to invariably pass or fail 100% of the devices.  It is totally possible that I got close with the regex, but just didn't know enough.


In the case of the current, simplified string-only attempt, is is possible that it is excluding the first three strings, then going right back and matching the fourth filter against those same three lines?  In my head, it should only cause a match if a logging host is in the config and does NOT match one of the three known IPs.


Thanks for any advice!

  • What is the correct Text/Entry suppose to be? 

  • Say in a switch's config I had this:

    ------------------------------

    !

    logging host x.x.x.x

    logging host y.y.y.y

    logging host z.z.z.z

    logging host a.a.a.a

    ...

    -----------------------------

    I have a policy that looks for logging hosts x, y, z.  These are the current hosts that I want on there.

    I want to create a policy that will alert if any extra logging hosts are in the list (like host 'a' in the example).  To be useful, it has to ignore the three hosts that I expect to be there.

    Does that get at what you wanted to know?

  • Ok,  This is how I would do it.  Try this and let me know. 

    If not found then trigger alert

    block 1.

    must contain logging host x.x.x.x.*\nlogging host y.y.y.y.*\nlogging host z.z.z.z

    block 2. and

    must not contain logging host x.x.x.x.*\nlogging host y.y.y.y.*\nlogging host z.z.z.z.*\nlogging host a.a.a.a

  • actually you can take off the a.a.a.a on block 2 to look for any 4th logging host.

  • I think the discussion linked below goes over this problem quite a bit for you.   However, after everyone applauded me for finding a unique solution in it, I found a case where it won't work quite right.  Hoping they'll modify NCM to fix it in all cases..

    That being said, the solution should work for quite a few instances, worth trying to see if it does in your case!!

    Automated Config clean up

  • I get nervous when I have the system automatically make changes that I did not specifically push.  I tend to shy away from automated remediation scripts and prefer to use Configuration Templates to make changes.

  • Round one:

    Used these settings for the config block.

    Start:  ^logging host .*

    End:  ^(logging|access-list|snmp|end)

    It appears to now reliably catch rogue servers at the end of the list of logging servers.  It does not appear to catch anything anywhere else on the list.

    I will keep poking at it for a while, but if you have any further suggestions about tweaking things, I am all ears.  Still though, I am exited that it is now doing something reliably emoticons_happy.png.  Progress!

    Though... Looking at it again... Is it possible that this method cannot be adapted to successfully do only reporting?  It might only be able to fix the problem, but not be able to merely report on it?  I'm rather hoping to avoid the auto-changes to switch configs.  I could let it rip once, then disable, but that won't tell me about future issues that crop up.  Which isn't to say that it isn't a pretty neat solution.

    Is there a document anywhere that lays out exactly how NCM is running the search terms through the config?  There are times that I feel like it is almost running each of the search strings through the block totally independently, which seems contrary to the "AND" statements.  I've had that last string "logging host " match against the three "must not contain" statements above.  That makes me think that I am looking at it wrong.

    Thanks!

  • Would this not require that the rogue server be at the end of the list?  I cannot guarantee where in the list such a server might fall.  I think that's where most of my trouble lies...  That, plus I can't really say how many there might be emoticons_happy.png.  My network has grown over time and come to include a variety of gear previously run by other groups, hence the variety of possibilities here.

  • I've never used the "automated" remediation scripts either, by that I would mean "Automatically execute this script when a violation is found" option being selected.   I think there would be very few instances where I would potentially use this feature.

    If you meant that the Compliance remediation on its own is "automated", I'd personally say that Compliance scripts are better to use than "Configuration Templates".  With Compliance scripting it only makes the changes to devices that need the changes to be done, and it figures out those for you.   Configuration Templates execute on all devices you select, regardless of whether it needs it or not...

  • Yes, it is positionally dependent as to when it catches the offending lines.   I don't think it's strictly the last one on the list, although its definitely easier for it to catch them at the end.  There are times where it can catch things in the middle of a list too, but it would be dependent on the lines around it.

    Not sure I understand what you're saying at the end about your confusion.   The documentation is available in the admin guides and online help, but its sparse.  It does tend to make sense though. 

    If you posted specific examples, it might be easier to explain them.