In this new world of Automation, we are more and more starting to trust external scripts and controllers to make changes on our network devices for us.

This is fine for our in-house Ansible scripts, but sometimes we want to see what an external controller, like DNA Center, is actually changing on our devices. We might want this information for later troubleshooting, or maybe even just out of curiosity for educational purposes.

The long way to verify what changes are made is to take a snapshot of our configurations before and after, and then run a diff or use a compare tool to look at the differences.

But there is an easier way to actually see what is being sent to your Cisco router or switch’s CLIs in real-time or in a log file.  Here are two EEM scripts that will accomplish this for us.

This first one will log all commands sent to the device to the console/syslog.  This is great for monitoring a couple of commands in real-time, but if your controller is sending a whole bunch of show or configuration commands, they can scroll off the screen pretty quickly and be hard to keep track of:

event manager applet catchall
event cli pattern ".*" sync no skip no
action 1 syslog msg "$_cli_msg"
end

Here’s an example of the output after configuring the script and enabling “terminal monitor”:

This enhanced script will open a file on your flash filesystem called “eem_logall.txt” and will log any commands to it for easier reading offline:

event manager applet catchall-log
event cli pattern ".*" sync no skip no
action 1.0 syslog msg "$_cli_msg"
action 2.0 file open FH flash:eem_logall.txt a+
action 2.1 file puts FH "$_event_pub_time $_cli_msg"
action 2.2 file close FH
end

Here’s a sample of the file that is written to flash:

Note: This isn’t a script that you necessarily want to have active at all times, as it can easily fill up the flash filesystem or overwhelm your logging console if there are a lot of show/configuration commands sent to the device.  For example, DNA Center will “Sync” your device every 25 minutes by default by issuing a large amount of show commands to it.

The quickest way to stop the EEM script when you are finished collecting your data, is to simply remove it, for example:

 

no event manager applet catchall
no event manager applet catchall-log