Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Network Configuration Manager (NCM) > NCM 7.7 Administrator Guide > Real time change detection > Configure real time change detection

Configure real time change detection

Created by Caroline Juszczak, last modified by Anthony.Rinaldi_ret on Oct 03, 2016

Views: 135 Votes: 1 Revisions: 5

The SolarWinds Syslog and Trap Services must be configured to run as administrator so that scheduled jobs are processed correctly. For detailed steps, see Run syslog and trap services as administrator.

Cisco devices send trap messages when a user enters config mode, but not when the user exits. As a result, if you make changes to the configuration on your device, you will receive a trap message about those changes only when you enter config mode the next time. That is, usually not until another change to the configuration needs to be done. Due to this behavior, SolarWinds recommends that you use the syslog option for setting up real-time change detection.

Access real-time change detection settings

  1. Click Settings > All Settings.
  2. Under Product Specific Settings, click NCM Settings.
  3. Under Real Time Change Detection, click Configure Real Time Change Detection. You must complete all six steps for Real Time Change Detection (RTCD) to operate correctly.

Step 1: Manually configure your devices to send syslog or trap messages

  1. Click My Dashboards > Configs > Configuration Management.
  2. Select the node(s), and then click Execute Script.
  3. Paste in the commands from the following examples, changing the IP address to match your device:

    Syslog (IOS)

    config terminal
    logging 10.199.3.43
    logging trap 6
    end

    Syslog (CatOS)

    set logging server 192.168.0.30
    set logging server facility local4
    set logging server severity 4
    set logging server enable

    Traps (IOS)

    snmp-server host 10.110.68.33 public config
    snmp-server enable traps config

    Traps (CatOS)

    set snmp trap 10.110.68.33 public config
    set snmp trap enable config

  4. Click Execute.
  5. Click Transfer Status.
  6. In the Action column, locate the most recent entry labeled Execute Script.
  7. Click Show Script Results in the Status/Details column.

For more information, refer to the documentation for each network device.

Remove device configurations by running a command with no in front of it. For example, no set logging server ip_address removes that target from the remote logging stream.

Step 2: Configure alerts and filters triggered by syslog and trap messages

Cisco devices that send change notifications using syslog messages

  1. Start Syslog Viewer in the SolarWinds Orion program folder.
  2. Click View > Alerts/Filter Rules.
  3. Select NCM Rule: Cisco IOS - Change Notifications.
  4. Click OK.

Non-Cisco devices that send change notifications using syslog messages

  1. Start Syslog Viewer in the SolarWinds Orion program folder.
  2. Click View > Alerts/Filter Rules.
  3. Click Add New Rule.
  4. Provide the appropriate information under General and DNS Hostname.
  5. Click Message.
  6. In the Message Type Pattern field, type the pattern to find.

    The message pattern varies by device type. For example, when a change is made to a Cisco router, a syslog message containing SYS-5-CONFIG_I: is sent. For more information about what messages are sent, see the documentation of your device.

  7. Click Alert Actions, and click Add New Action.
  8. Select Execute an External Program, and click OK.
  9. Type the following in the Program to Execute field:

    Path\Orion\SolarWinds.NCM.RTNForwarder.exe
    ${IP},RealtimeNotification,${DateTime},${Message}

  10. Where:

    Path

    The location of the Orion folder. If the path contains spaces, enclose the path section of the statement in quotation marks: "Path to executable".

    ${IP}

    The IP address of the triggering device.

    RealtimeNotification

    This text is displayed as the user name value. Currently, there is no means to parse the message text for the user name. The text is required to include the Message variable.

    ${DateTime}

    The current date and time. This is equivalent to the Windows Control Panel defined Short Date and Short Time format.

    ${Message}

    The Syslog message in the real time detection notification. If your Syslog message contains the user making the change, the user name is included through the use of this variable.

    You must include the commas and, if including Message, you must include placeholder text in the second comma delimited location and the DateTime variable.

  11. Click OK.
  12. Ensure the new rule is selected in the Alerts/Filter Rules tab of the Syslog Server Settings window, and click OK.

Devices that send change notifications using SolarWinds Kiwi Syslog Server

  1. Start the Kiwi Syslog Server Console in the SolarWinds Syslog Server Console program folder.
  2. Click File > Setup.
  3. Click Filter, and right-click New Filter to rename it.
  4. Select Field > Message Text and Filter Type > Simple, and type the message to include with a syslog notification.
  5. Right-click Actions, and rename New Action.
  6. In the Program File Name field, type Path\Orion\SolarWinds.NCM.RTNForwarder.exe.

    Where:

    Path

    The location of the Orion folder. If the path contains spaces, enclose the path section of the statement in quotation marks: "Path to executable".

  7. Add the string %MsgIPAddr,RTN,%MsgText to Command Line Options
  8. Click Apply/OK.
  9. Ensure the appropriate filter and action are selected in Rules lists, and click OK.

Devices that send change notifications using SNMP trap messages

  1. Start the Trap Viewer in the SolarWinds Orion program folder.

    SolarWinds does not include a predefined rule with filters for trap messages since we strongly recommend using the syslog option instead. However, if you want to use trap messages for Real Time Change Detection, continue with these steps.

  2. Click View > Alerts/Filter Rules.
  3. Click Add Rule.
  4. Provide the appropriate information on the General and DNS Hostname tabs.
  5. Click Conditions, and click Add a Condition.
  6. Click SNMPv2-MIB:snmpTrapOID, and then browse to the MIB that contains the trap message.

    For example, browse to CISCO-CONFIG-MAN-MIB:ccmHistoryEventConfigDestination (1.3.6.1.4.1.9.9.43.1.1.6.1.5).

  7. Click the asterisk, and type the message pattern to match.

    For example, when a change is made to the running config the HistoryEventMedium is 3. Changes to the startup config are designated by the integer 4.

  8. If you need to match on more than one condition, click Browse next to your last condition, and then click the appropriate conjunction: And or Or.

    Repeat Steps f through g for as many conditions as you need to match. For example, along with the change history event value, consider matching the command source CISCO-CONFIG_MAN_MIB:ccmHistoryEventCommandSource (1.3.6.1.4.1.9.9.43.1.1.6.1.3) and select 1 (command line) or 2 (snmp) as the value. For more information about what messages are sent from your devices, see the documentation of your device.

  9. Click Alert Actions.
  10. Click Add Action.
  11. Select Execute an External Program, and click OK.
  12. Type the following in the Program to execute field: "Path\Orion\SolarWinds.NCM.RTNforwarder.exe" ${IP}.

    Where:

    Path

    The location of the Orion folder. If the path contains spaces, enclose the path section of the statement in quotation marks: "Path to executable".

    ${IP}

    The IP address of the triggering device.

  13. Click OK.
  14. Ensure the new rule is selected in the Alerts/Filter Rules tab of the Trap Server Settings window, and click OK.

Devices that send change notifications to a system other than SolarWinds NCM

  1. Start your third-party Syslog or SNMP Trap receiver.
  2. Set up an alert that executes an external program.
  3. Type the following in the Program to execute field: "Path\Orion\SolarWinds.NCM.RTNforwarder.exe" ${IP}.

    Where:

    Path

    The location of the Orion folder. If the path contains spaces, enclose the path section of the statement in quotation marks: "Path to executable".

    ${IP}

    The IP address of the triggering device.

  4. Save the alert, and make sure it is enabled.

Step 3: Config changes

  1. Click Config Changes.
  2. Select Enable These Account Credentials to Access All NCM-managed Devices if you want to allow them to access all network devices managed in NCM.

    If the check box is disabled, then Device Login and User Account Credentials is set to Global Device Level on the Security resource, located at Settings > NCM Settings > Security. Click Security to change that setting if necessary.

  3. Select Include Syslog/Trap Message in NCM Email Notification if desired.
  4. Click Submit.

Step 4: Config downloads and notifications

  1. Click Config Downloads and Notification Settings.
  2. Under Previously Downloaded Config File, make a selection from Monitor This File Type.
  3. Under Baseline Config File, select the config file type against which you want to compare differences with the file downloaded as part of the RTCD operation.
  4. Select the relevant Email Notification Options
  5. Enter the Sender Name, Subject, and To address information to be used in sending out RTCD email notifications. Reply Address is optional.
  6. Click Submit.

Step 5: Enter NCM SMTP server details

The email server settings you enter here will be used to send notifications regarding RTCD, config change approvals, and running jobs. For information on config change approvals, see Approval system for device configuration changes.

  1. Click NCM SMTP Server.
  2. Enter the fully qualified domain name (FQDN) or IP address of the mail server.
  3. Enter the port number on which the mail server handles messages.
  4. Select None or Password as the Authentication method.
  5. Enter a user name and password.
  6. Click Submit.

Step 6: Enable real time config change notifications

  1. Click Enable.
  2. Click Submit.

 

Last modified
13:47, 3 Oct 2016

Tags

Classifications

Public