KB ID 0001332
Problem
Before on Part One we setup our RANCID and ViewVC server ready to start backing up our devices, now we will look at adding the devices, and automating the backup process.
Solution
To add a Cisco device you need to do TWO things*. Firstly you need to add and entry in the ‘router.db‘ file that lives in the ‘Group’ folder you created back in part one. Secondly you need to add the access details, you do this in the ‘.cloginrc‘ file.
*Note: There’s really three things, but we have already setup the rancid.conf file and created the groups.
I’m going to add my Cisco ASA firewall to the router.db file thats in the Firewalls group.
[box]
nano /usr/local/rancid/var/Firewalls/router.db
[/box]
You enter devices in the following format;
{ip-or-hostname};cisco;up
OR
{ip-or-hostname};cisco;up; LOCATION: {Your test here}
Note: If you have a device that goes down for maintenance, or is retired but you want to retain its config you change the keyword up to down and Rancid wont try and back it up.
REMEMBER: I have Firewalls and a Switches (Groups) created, so I will add in my switch into the Switches router.db file exactly the same as I did above;
For the system to access the remote devices, it needs to know how to gain access, (method}, and a username and password, these are setup in the .cloginrc file. This is the file Rancid uses for Cisco devices if you look in the folder that the file lives in, you will see other login files for other vendors.
[box]
nano /home/rancid/.cloginrc
[/box]
Adding Cisco Device Logins
You will notice (screenshot above, and text below) I’ve used two different methods, the reason I have done this is because the first item (the device on 192.168.100.119) is a Cisco IOS device (it’s actually a CSR1000,) and when I logon as the rancid-user I am ‘automatically’ logged on in enable mode. Cisco ASA Firewalls (like the second entry) only very recently had the ‘auto-enable’ feature added to them (version 9.2(1)) so for older models, you have to login, and then go to enable mode, and then enter a second password. This is why the second entry has two passwords, usually they are the same, but if a specific enable password has been set on the firewall they will NOT be.
[box]
Cisco Router / Switch Example # You can enter some sensible text here to define the device below add user {ip-or-hostname} {username} add password {ip-or-hostname} {password} add method {ip-or-hostname} {ssh or telnet} add autoenable {ip-or-hostname} 1 # Cisco ASA Firewall Example # You can enter some sensible text here to define the device below add user {ip-or-hostname} {username} add password {ip-or-hostname} {password} {enable-password} add method {ip-or-hostname} {ssh or telnet} # [/box]
Now we are pretty much setup, you can test your configuration by running the following command;
[box]
/usr/local/rancid/bin/rancid-run
[/box]
It wont return any output but if you browse to your ViewVC total you ‘should’ now see the configs have been added;
Troubleshooting Rancid
If you do a test run and it appears nothing has happened then you can look at the logs to see what went wrong.
[box]
cd /usr/local/rancid/var/logs/
ls
nano {log-name}
[/box]
Usually it will give you an error that will point you in the right direction, if the file is completely empty, (i.e. a start time and and end time and nothing else). This usually indicates an error in the router.db file.
Scheduling Rancid Backups
This is done with crontab, which means we need to edit it with vi (I don’t like vi either, see the following article for a 2 minute crash course).
Using the VI Editor (For Windows Types)
Crontab Timing Format
This can also get a bit confusing, to simplify things see the table below,
Requirement | Entry/String |
Run once a year | 0 0 1 1 * |
Run once a month | 0 0 1 * * |
Run once a week | 0 0 * * 0 |
Run once a day | 0 0 * * * |
Run once an hour | 0 * * * * |
Note For ‘Human’ time you can specify minutes and hours e.g. 59 23 * * * means run every day at 59 minutes past 11.
So to schedule the Rancid job you first need to logon (or su to) the rancid user. And setup the crontab file using vi.
[box]
su rancid crontab -e
[/box]
If you read my link above you will know how to edit in VI
[box]
# #Rancid Config File # # 0 0 * * * /usr/local/rancid/bin/rancid-run # # 59 23 * * * /usr/bin/find /usr/local/rancid/var/logs -type f -mtime +30 -exec rm -rf {} \; #
[/box]
You can check the crontab config at anytime with the following command
[box]
crontab -i
[/box]
Related Articles, References, Credits, or External Links
NA
To check crontab file:
crontab -l
Not crontab -i
Hello,
I have configured RANCID & getting the mikrotik,Cisco router’s changes log successfully. But i am unable to found which users are doing the changes. For example if i have 10 users in one of my mikrotik router, i want to see which users did router’s any changes. Is it possible to get the individual users log in RANCID.
I’m not sure about mikrotik, but I know with cisco there is at least one syslog message that reports any commands executed (this includes basic show commands, but also includes any config changes)…
You can configure these events to trigger an email alert from the device(s), but you may also want to have a syslog server running somewhere as well which could do similar functionality (not a bad idea if you’re already doing rancid) – on an ASA the id is 111009, this may vary on other systems
My crontab file is there but it is not running. Created under user Rancid as suggested. Any ideas?
[root@rancid ~]# su rancid
[rancid@rancid root]$ crontab -l
#
#Rancid Config File
#
#Run Rancid Every Day (@Midnight)
0 0 * * * /usr/local/rancid/bin/rancid-run
#
#Clear Log files older than 30 days
59 23 * * * /usr/bin/find /usr/local/rancid/var/logs -type f -mtime +30 -exec rm -rf {} \;
#
[rancid@rancid root]$
I am receiving email notifications for my switches and routers but i am not receiving any email for cisco asa firewall changes. I have added firewall credentials and tested rancid can login to firewall successfully.