# # (c) NetYCE, 2020 # # yce_events configuration to detect configuration changes # from network devices syslog messages # # #------------------------------------------------------------ # Program options #------------------------------------------------------------ # type=StartupOptions detach=yes user=yce group=nms pid=/var/opt/yce/jobs/yce_events.pid input=/var/opt/yce/logs/syslog-ng.log log=/var/opt/yce/logs/yce_events.log # # #------------------------------------------------------------ # Vendor Patterns #------------------------------------------------------------ # # Juniper # type=SingleWithSuppress ptype=RegExp pattern=.*\s(.*)\smgd\[\d+\]:\sUI_COMMIT_PROGRESS:(.*)commit\scomplete desc=config save for $1 action=event config_changed_for_$1 window=600 # # F5 BIGIP (still in development mode) # # Sample output for a config change: # Jul 29 16:12:40 f5.netyce.org debug mcpd[4487]: Setting the master key from memory. # Jul 29 16:12:40 f5.netyce.org debug mcpd[4487]: save_master_key(7) called # Jul 29 16:12:40 f5.netyce.org debug mcpd[4487]: Saving the new version of Master key file. # Jul 29 16:12:40 f5.netyce.org debug mcpd[4487]: Wrote the new version of Master key file. # Jul 29 16:12:40 f5.netyce.org debug mcpd[4487]: Wrote the new version of Recovery key file. # Jul 29 16:12:40 f5.netyce.org debug mcpd[4487]: notify_master_key: notification sent. # Jul 29 16:12:41 f5.netyce.org notice tmsh[10999]: 01420002:5: AUDIT - pid=10999 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=save /sys config # type=SingleWithSuppress ptype=RegExp pattern=[\w]{3} [\d]{1,2} [\S]{8} (\S*) notice [\w]+\[\d+\]: .* AUDIT - .* status=\[Command OK\] cmd_data=save .* config desc=config save for $1 action=event config_changed_for_$1 window=600 # # HP_C7 normal save or save main # #type=SingleWithSuppress #ptype=RegExp #pattern=[a-zA-Z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s.*\sOriginal\sAddress=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s[a-zA-z]{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\d+.*%%10CFGMAN/5/CFGMAN_CFGCHANGED #desc=config save for $1 #action=event config_changed_for_$1 #window=600 # # HP_C7 normal save main force or save force # type=SingleWithSuppress ptype=RegExp pattern=[a-zA-Z]{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(.*)\s%%10SHELL\/6\/SHELL_CMD:\s.*Command\sis\ssave\s desc=config save for $1 action=event config_changed_for_$1 window=600 # # Arista_EOS # type=SingleWithSuppress ptype=RegExp pattern=[a-zA-Z]{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(.*)\sConfigAgent:\s%SYS-5-CONFIG_STARTUP:\sStartup\sconfig\ssaved desc=config save for $1 action=event config_changed_for_$1 window=600 # # Cisco_Nexus # type=SingleWithSuppress ptype=RegExp pattern=[a-zA-Z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s.*\sOriginal\sAddress[\s|=](\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*:.*:\s*\%VSHD-5-VSHD_SYSLOG_CONFIG_I:\sConfigured\sfrom desc=config save for $1 action=event config_changed_for_$1 window=600 # # Cisco_IOS # type=SingleWithSuppress ptype=RegExp pattern=[a-zA-Z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s.*\sOriginal\sAddress[\s|=](\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s\d+:.*%SYS-5-CONFIG_I:\sConfigured desc=config save for $1 action=event config_changed_for_$1 window=600 # # Cisco_XR # type=SingleWithSuppress ptype=RegExp pattern=[a-zA-Z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s.*\sOriginal\sAddress=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s[a-zA-z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}.\d{3}\s[A-Z]{3}:\s+\d+:\sRP\/\d\/RSP\d\/CPU\d:[a-zA-Z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}.\d{3}\s[A-Z]{3}:\sconfig\[\d+\]:\s%MGBL-SYS-5-CONFIG_I\s:\sConfigured desc=config save for $1 action=event config_changed_for_$1 window=600 # # HP_C5 normal save, save main, save main force or save force # type=SingleWithSuppress ptype=RegExp pattern=[a-zA-Z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s.*\sOriginal\sAddress=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s[a-zA-z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s\d+.*%%10CFGMAN/5/CFGMAN_CFGCHANGED desc=config save for $1 action=event config_changed_for_$1 window=600 # # HP_C5 different timestamp # type=SingleWithSuppress ptype=RegExp pattern=[a-zA-Z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s.*\sOriginal\sAddress=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.*\s%%10CFGMAN/5/CFGMAN_CFGCHANGED desc=config save for $1 action=event config_changed_for_$1 window=600 # # # Avaya_ERS save # type=SingleWithSuppress ptype=RegExp pattern=[a-zA-Z]{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\s\d{2}:\d{2}:\d{2}:\d{2}\s(.*)\s:Trap:\s\sbsnConfigurationSavedToNvram desc=config save for $1 action=event config_changed_for_$1 window=600 # # CI_6 save configuration # type=SingleWithSuppress ptype=RegExp pattern=[a-zA-Z]{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}))\s\[[a-z]{5}\]\s((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}))\s([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})\s\d{4}\sCONFIG-5-CONFIG_SAVE: desc=config save for $1 action=event config_changed_for_$1 window=600 # #------------------------------------------------------------ # External worker script #------------------------------------------------------------ # #type=SingleWithScript #ptype=RegExp #pattern=config_changed_for_(\S+) #script=/opt/yce/bin/config_change.pl -l -d 2 -n $1 #desc=$0 #action=write - normal save OR save main node $1 matches. # #------------------------------------------------------------ # Internal worker script #------------------------------------------------------------ # type=SingleWithSub ptype=RegExp pattern=config_changed_for_(\S+) sub=yce_nccm arg=$1 desc=$0 action=write - normal save OR save main node $1 matches.