I used to work at a place where there were many network outages caused by network engineers doing poorly planned maintenance. There was a change -management process, but it was so onerous that people tried to get around it (also, most of the engineers figured that none of their changes could possibly cause an outage). Things got so bad that we had to run a daily report against the TACACS logs to look for mavericks (and to try and figure out who decided that "ip classful" or OSPF virtual links or ... was a good idea).
This icky piece of Perl generates reports from TACACS+ logs -- I think that it only works correctly from Cisco and lookalikes (eg. Foundry), Juniper accounting log formats are somewhat different. I cannot share that as I wrote it while employed by my current employer, but the changes are trivial.
#!/usr/bin/perl
use IO::Socket;
while () {
($datetime, $device, $name, $cmd) = (split (/\t/))[0,1,2,11];
# Ignore "sho running config" and "ping" if done by monitoring
# Change this to be whatever user you use for monitoring.
unless (($name =~ /monitoring/)&&(($cmd =~ /ping/)||($cmd =~ /running-con/)||($cmd =~ /terminal leng/))) {
if ($cmd =~ /cmd/) {
$cmd =~ s/cmd=//; # Take out the annoying "cmd="
$cmd =~ s///; # and the
chomp ($cmd);
$machine = gethostbyaddr(inet_aton($device), AF_INET);
unless ($machine) { $machine = $device; } # If cannot loook up name, $machine gets the IP
$machine =~ s/\.example\.com//; # Fill in your domain here.
write;
}
}
}
# Example log line:
#Fri Jan 17 16:32:18 2003 core1.example.com: wkumari did show running-config
format STDOUT =
@<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$datetime, $name, $machine, $cmd
.
format STDOUT_TOP =
Page @<<<<
$%
Date and Time User Device Command
========================= =============== ================================ ========================================
.