[Solved] Ignored data filter not working

Unimus support forum
Post Reply
doslager
Posts: 10
Joined: Mon Oct 25, 2021 10:37 pm

Sat Dec 18, 2021 7:08 pm

Not sure if i'm doing something wrong. I think i have it configured correctly.

I have a Cisco 2811 with console cables for a Terminal server. For some reason the config changes the baud on the aux port in the config each time Unimus is run. Not sure why--nothing is connected to the AUX port on the router. It's not a problem with Unimus. So, I have created a filter for this using a regex and it doesnt seem to work. I have changed it to "starts with" and that does not work either.

Here is the output from the email. Line 435 is the one that seems to fluctuate for some reason. It's always the same line. I want to include the line in the config, but exclude it from detecting a change.

I have hard coded the AUX port to 19200 and hopefully this will be static in the config and will eliminate the need for an ignored filter. But i'm not sure what i'm doing wrong in the filter. It doesnt seem to apply to the config.

Thank you!

Code: Select all


Vendor:	Cisco
Type:	IOS router
Downloaded:	Sat, 18 Dec 2021, 08:30 AM
	Vendor:	Cisco
Type:	IOS router
Downloaded:	Sat, 18 Dec 2021, 11:00 AM

 	 	 	...(424 lines hidden)
425	425		
426	426		^C
427	427		!
428	428		line con 0
429	429		password 7 *************************
430	430		line aux 0
431	431		modem InOut
432	432		modem autoconfigure discovery
433	433		transport input all
434	434		stopbits 1
435	 	-	speed 1200
 	435	+	speed 300
436	436		flowcontrol hardware
437	437		line 0/0/0
438	438		session-timeout 20
439	439		location cable0-0-0
440	440		rotary 1
441	441		no exec
442	442		transport input telnet ssh
443	443		transport output none
444	444		stopbits 1
445	445		line 0/0/1
 	 	 	...(261 lines hidden)

Here is the regex i am using and applied to the tag applied to the device in question. It seems to work when i test it via online regex tester.

Code: Select all

^.*speed.(300|1200|2400|4800|9600|19200|38400|57600|115200).*$
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Sat Dec 18, 2021 7:15 pm

Hi,

The "^" and "$" anchors normally refer to start of string and end of string. You need to use the "(?m)" modifier to make them "per-line". Online regex testers often turn this on by default. This should work:

Code: Select all

(?m)^.*speed.(300|1200|2400|4800|9600|19200|38400|57600|115200).*$
doslager
Posts: 10
Joined: Mon Oct 25, 2021 10:37 pm

Sat Dec 18, 2021 7:26 pm

WOW! Thank you for the super quick reply on a saturday. :D

That seems to have fixed it! I was not aware of the (?m) modifier. That's perfect!

Thank you again!
doslager
Posts: 10
Joined: Mon Oct 25, 2021 10:37 pm

Sun Dec 19, 2021 6:53 pm

The improved RegEx is definitely working. Thank you!

However....

This config for some reason is flucuating between no speed statement for the AUX port and sometimes a speed statement. If the config goes from speed 9600 to speed19200 for example, the RegEx works fine and doesnt flag as config change.

But.....when the config flucuates between no speed statement to speed X, it flags the config as a change and sends an email. I have Unimus running every 15 min to flag/capture any changes across my devices.

The device is a Cisco 2811 running IOS 15.1.(4)M12a. Not sure if that matters. This is the only Cisco Router i have on the network and it is not even a router, per se. Its running as a Terminal Server. I dont have any other ISR style devices to know if its consistent across the 2800/2900 platform.

This was from the 0700 run. See line 435 that is removed and then reappears on the next run.

Code: Select all

 	 	 	...(424 lines hidden)
425	425		
426	426		^C
427	427		!
428	428		line con 0
429	429		password 7 xxxxxxxxxxxxxxxxxxx
430	430		line aux 0
431	431		modem InOut
432	432		modem autoconfigure discovery
433	433		transport input all
434	434		stopbits 1
435	 	-	speed 2400
436	435		flowcontrol hardware
437	436		line 0/0/0
438	437		session-timeout 20
439	438		location cable0-0-0
440	439		rotary 1
441	440		no exec
442	441		transport input telnet ssh
443	442		transport output none
444	443		stopbits 1
445	444		line 0/0/1
 	 	 	...(261 lines hidden)
Then the immediate next run at 0715 sent an email like this:

Code: Select all

 	 	 	...(424 lines hidden)
425	425		
426	426		^C
427	427		!
428	428		line con 0
429	429		password 7 xxxxxxxxxxxxxxxxxxx
430	430		line aux 0
431	431		modem InOut
432	432		modem autoconfigure discovery
433	433		transport input all
434	434		stopbits 1
 	435	+	speed 115200
435	436		flowcontrol hardware
436	437		line 0/0/0
437	438		session-timeout 20
438	439		location cable0-0-0
439	440		rotary 1
440	441		no exec
441	442		transport input telnet ssh
442	443		transport output none
443	444		stopbits 1
444	445		line 0/0/1
 	 	 	...(261 lines hidden)
And then nothing in 5 hours since then. So, it's definitely random when/how Cisco modifies the config.

Thank you!
doslager
Posts: 10
Joined: Mon Oct 25, 2021 10:37 pm

Sun Dec 19, 2021 7:29 pm

I think i noticed what the issue was with the config randomly adding in the speed line.

I had modem InOut and modem autoconfigure on the aux port. There is nothing connected to the AUX port, so it clearly doesnt need to be configured. I removed those lines and will see if that fixes the phantom appearance/disappearance of the speed command.

But....that still is a question for the ignore filter. It seems it ignores the line if it's present in both versions of the config. But if is removed, or added, the ignore filter doesnt apply itself. That may be by design, or there may be times that you want the addition or removal to be flagged.

Thank you again!
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Sun Dec 19, 2021 7:35 pm

Hi, the best approach in this case would likely be just to delete the line all together. You can define a "Delete" filter (instead of an "Ignore" filter), with regex like this:

Code: Select all

(?m)^\h*speed \d+\h*\n
This will remove the line if it's present, and do nothing if it's not. This way there will be no changes detected whatever happens (if it's changed, removed, or added).
Post Reply