Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Network Configuration Manager (NCM) > NCM Real Time Change Notification

NCM Real Time Change Notification

Created by Seamus.Enright, last modified by Norbert Skurzewski on Jul 31, 2017

Views: 374 Votes: 5 Revisions: 11

Overview

Network devices can be configured to send a Syslog message or a Trap message when the configuration on the device changes. If the device has been set up to send such message to NCM upon a change, then you can build a rule in NCM to download the configuration, and check it against the existing saved startup or running configuration. For RTCN (Real-Time Change Notification), running configurations are compared to running configurations and startup is compared to startup only - NCM will not compare one type of configuration with a different type for this purpose.

Environment

  • NCM any version

Steps

Setting up RTCN

Take the following steps on your NCM server to set up RTCN to test it out. You may need to use a syslog/trap message spoof in order to generate the initial syslog/trap message, to allow this to work, as devices in the Austin lab will not be able to send syslog/trap messages to VMs located in other GEO(s), due to firewalls placed on the WAN links. Full setup details are available in the Admin guide.

  1. Configure the device to send syslog or trap messages upon configuration change. To do this, check the vendor documentation. You may also want to set 'no logging' for logins from the NCM server on the device(s), particularly if NCM must open config mode in order to display the device configuration. Setting 'no logging' will ensure that changes made by the NCM server directly don't trigger RTCN.

  2. On the NCM Web Console, open Settings -> NCM Settings > Configure Real-Time Change Detection. This wizard will guide you through the RTCN setup process.

    1. Create a rule in Syslog Viewer, or in Trap Viewer to match the syslog or trap messages generated by this device upon a config change. The rule MUST execute the following program:

      "C:\Program Files\SolarWinds\Orion\SolarWinds.NCM.RTNforwarder.exe" ${IP}

 

Make sure you are specifying the path using local file system (LFS), such as C:\File. 
Uniform naming convention (UNC), such as \\Server\Volume\File or / <internet resource name>[\Directory name] will not work with the Real-time Change Notification.


The ${IP} macro will be filled out by the Syslog or Trap viewer at execution time, to pass the IP Address of the device that sent that syslog or trap message.

  1. You'll need to enter additional information into this wizard, including the credentials that should be used to log into the device, and the download, baseline config, and email notification settings. Please take note Syslog message are case sensitive.

 

Troubleshooting RTCN

RTCN is made up of a number of different components. To troubleshoot why RTCN is not working, you need to troubleshoot each of these components, to find which link in the chain is broken.Capture.JPG

Make sure that UAC is set to a low setting or disabled, when RTN Forwarder is executed UAC will prompt for it and will not launch the application.

To test the UAC, launch Command Prompt as Administrator, and navigate to the RTN Forward executable, by default it is located at C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.NCM.RTNForwarder.exe (target IP address of device):

If a prompt comes up, then disable UAC on the server and test again.

 

Other issues could be the Regular Expressions for any of the configuration of the Rule, this can be tested by adding the Windows Event Log:

 

Log Files:

Log File
Details
Device logs Some devices can log to console to confirm they have sent a trap or syslog message upon config change
Wireshark trace Confirm the Trap/Syslog message has been received by the NCM server
Syslog / Traps View Syslogs / Traps from the web console to confirm the syslog / trap has arrived, and confirm the format of the syslog / trap message matches what is being looked for in the Alert Action
Session Trace Confirm that RTNforwarder is successfully downloading a config from the device
Real-Time Change Detection Logs Enabled from the web console (Under NCM Settings -> Advanced Settings). Logs change events, notification success or failure, and device connectivity

 

Last modified
08:44, 31 Jul 2017

Tags

Classifications

Public