I just came across this list of command to capture the state of a CISCO router. I wanted to capture this and maybe inspire someone to build an application for Splunk. It would be interesting to build a set of expect scripts that go out and capture this information in Splunk. You can then use the information for forensics, but also for change management. By building alerts you could even alert on unauthorized or potentially malicious changes. If you are interested in building an application, let me know. I’ be happy to help.
show clock detail show version show running-config show startup-config show reload show users show who show log show debug show stack show context show tech-support show processes show processes cpu show processes memory content of bootflash show ip route show ip ospf show ip ospf summary show ip ospf neighbors show ip bgp summary show cdp neighbors show ip arp show interfaces show ip interfaces show tcp brief all show ip sockets show ip nat translations verbose show ip cache flow show ip cef show snmp show snmp user show snmp group show snmp sessions show file descriptors
I’ve found expect to be of more trouble than it’s worth for most scripts anymore, especially something like this. Assuming that the device has SSH enabled you should be able to run these commands directly without much interactivity (as Expect was designed for.)
Comment by Mike — December 9, 2008 @ 6:49 pm
Many people still use RANCID to collect information about their routers (me included), which already does all the expect wizardry required. The commands that are run by rancid should be a good starting point.
On the other hand, you could just pull the files that RANCID stores into Splunk (or go all the way and use Splunk as backend instead of CVS/SVN).
Comment by Alex — January 7, 2009 @ 7:39 am
Hm, you only realy need 1 command…
show tech
That should spit it all out…..
Comment by Nico — March 2, 2009 @ 4:04 am