DETECTING CHANGES TO ROUTER CONFIGURATIONS


1. The class router is already configured to forward any of its own logging info
   to all NOC machines.  If you had your own router, it would be a relatively simple
   matter to do this yourself.  As an example here is an excerpt of what we 
   did to configure the class VYOS soft router.

vyos@vyos# show system syslog
 global {
     facility all {
         level notice
     }
     facility protocols {
         level debug
     }
 }
 host 10.X.2.1 {
     facility all {
         level info
     }
 }
....


    On your NOC machines do the following to monitor router log activity.

    sudo tail -f /var/log/auth.log

    while the instructor touches the router.

2.  Changes in router configuration should be rare and therefore an alert should
    be sent to the administrator any time this is done.

    We do this using swatch.

    Create a file swatch_authlog.conf and cut and paste below.

watchfor / vyos /
         mail=tldadmin@localhost,subject=Router Maintenance

     and then start swatch watching auth.log.

     sudo swatch -c swatch_authlog.conf --tail-file=/var/log/auth.log --daemon

     and read your email 

     mutt

3.  Now see what happens when the instructor touches the router.

    You certainly will want to play around with swatch configurations to optimize
    the conditions for sending you email as not all events are worthy of 
    notificiation and too many of them will end up being ignored.

    FYI: Everytime you modify swatch configurations you must restart it. Use:
    
    ps ax | grep swatch

    to find out the process ids for the processes you must kill 

    sudo kill pid-number(s)

    and restart.