Re: [Simple-evcorr-users] RANCID SEC Cisco intergration

George Lakovski Wed, 29 Jan 2014 23:19:26 -0800

Hi,
   The sample of the log message is below:

02374: Dec  9 15:13:54.569 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:interface GigabitEthernet9/1.2013
002375: Dec  9 15:13:54.645 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:description GigabitEthernet9/1.2013 dot1q vlan id=2013. By
VPNSC: Job Id# = 20321 (3032121_Customer1_Ref_Vienna_Data)
002376: Dec  9 15:13:54.681 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:encapsulation dot1Q 2013
002377: Dec  9 15:13:54.717 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:ip vrf forwarding Cust-VPN-sfs2
002378: Dec  9 15:13:54.765 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:ip address 10.10.10.1 255.255.255.252
002379: Dec  9 15:13:54.801 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:no shutdown
002392: Dec  9 15:13:55.233 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:interface GigabitEthernet9/1.2013
002393: Dec  9 15:13:55.253 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:bandwidth 2048
002394: Dec  9 15:13:55.297 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:service-policy input 2M_Voice_in
002395: Dec  9 15:13:55.329 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:service-policy output 2M_Voice_out
002396: Dec  9 15:13:55.361 BG: %PARSER-5-CFGLOG_LOGGEDCMD: User:iscuser
logged command:ip access-group ITS_Voice in
002397: Dec  9 15:13:55.377 BG: %SYS-5-CONFIG_I: Configured from console by
adminuser on vty2 (10.192.21.13)


   Some details for the RANCID itself:
1) the poll of the devices is made by the command:

/usr/local/rancid/bin/rancid-run -r $device_name

2) Every version of configuration in RANCID is made with a the relevant comment.

I modified this comment and added another variable "EXECUTOR". This
part is working. Now I need to add additionally the variables
"SOURCE_IP" and "JOB_ID". I am using SEC to parse the log and to
generate this global variables, which are used by RANCID. The whole
point is to

be able to parse them with the specific requirement in the initial
post and this should be done in the described sequence with the
described interval.

I was wondering whether the goal can be achieved via CONTEXTs or
another SEC technics.

BR,
  Georgi



2014-01-29 Risto Vaarandi <[email protected]>

> hi Georgi,
> can you post the actual log messages and describe how exactly they
> should be handled? Since most people in the list are probably not
> familiar with RANCID, it is quite hard to grasp what events should be
> processed and how the processing should be done.
> regards,
> risto
>
> 2014-01-29 George Lakovski <[email protected]>:
> >
> >
> >  Hi,
> >     I need some help for the work of RANCID with SEC.pl.
> >
> >     I need to achieve the following functionality observing the syslog of
> > Cisco devices.
> >
> > 1) look for a description of an interface that matches specific pattern.
> If
> > there is a match to check whether there is a "SYS-5-CONFIG_I" message in
> the
> > log and initiate a new poll of the specific device reported the messages.
> > The log message for the description of an interface and write config
> should
> > be for the same device and user and in 5 min interval. Otherwise nothing
> > should be done.
> >
> > 2) if the above conditions are not met as described to poll the device
> only
> > by a "SYS-5-CONFIG_I" message
> >
> >   All this is with the idea to match a specific "change ID", coded in the
> > description and to pass it together with the user, who made the change to
> > RANCID. This data will appear in the logs of RANCID as global varaibles
> > passed to RANCID in the "bin/control_rancid" file to the
> >
> > "if [ "X$device" != "X" ] ; then
> >     $RCSSYS commit -m "$EXECUTOR via $SOURCE_IP due to JOB_ID updated
> > $mailrcpt"
> >     subject="$GROUP/$device $subject"
> > else
> >     $RCSSYS commit -m "$EXECUTOR via $SOURCE_IP due to JOB_ID update"
> >     subject="$GROUP $subject"
> > fi"
> >
> > section.
> >
> > I imagine it to something like the following, but I can't make it work.
> >
> > # in case of change to an interface description combined with write
> config
> >
> > type=Pair
> > ptype=RegExp
> > pattern=\S (\w+-\w+-\w+\d) .*%PARSER-5-CFGLOG_LOGGEDCMD.* User:(\w+)
>  logged
> > command:description.*Job Id# = (\d+) .*
> > desc=This is the description of the changed interface
> > action=eval %TEST1 ( $ENV {'JOB_ID'}="$3" )
> > ptype2=RegExp
> > pattern2=\S $1 .*SYS-5-CONFIG_I.* by $2 on vty\d+ \((\d+.\d+.\d+.\d+)\)
> > desc2=Please verify. There is a change in the config of $1 by $2
> > action2=eval %TEST2 ( $ENV {'EXECUTOR'}="$2" );\
> >         eval %TEST3 ( $ENV {'SOURCE_IP'}="$3" );\
> >         shellcmd /usr/local/rancid/bin/rancid-run -r $1
> > window=1800
> >
> >
> > # in case there is no change of description, only changes not related to
> > interface description
> >
> > type=Single
> > ptype=RegExp
> > pattern=\S (\w+-\w+-\w+\d) .*SYS-5-CONFIG_I.* by (\w+) on vty\d+
> > \((\d+.\d+.\d+.\d+)\)
> > desc=Please verify. There is a change in the config of $1 by $2
> > action=eval %TEST2 ( $ENV {'EXECUTOR'}="$2" );\
> >        eval %TEST3 ( $ENV {'SOURCE_IP'}="$3" );\
> >        shellcmd /usr/local/rancid/bin/rancid-run -r $1
> > window=1800
> >
> > Probably the first part may be done with CONTEXTs....
> > Any ideas? I will appreciate any help how to accomplish my ideas.
> >
> > BR,
> >  Georgi
> >
> >
> >
> ------------------------------------------------------------------------------
> > WatchGuard Dimension instantly turns raw network data into actionable
> > security intelligence. It gives you real-time visual feedback on key
> > security issues and trends.  Skip the complicated setup - simply import
> > a virtual appliance and go from zero to informed in seconds.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
>

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk

_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] RANCID SEC Cisco intergration

Reply via email to