RANCID monitors a router’s (or more generally a device’s) configuration, including software and hardware (cards, serial numbers, etc) and uses CVS (Concurrent Version System) or Subversion to maintain history of changes.
- FreeBSD box (mine is 6.2)
- Router’s with enable access
- Local root access on the box or be able to su to root.
- A SSH client such as puTTy or SecureCRT (if you are setting it up remotely)
Let’s install RANCID from ports:
# cd /usr/ports/net-mgmt/rancid/ # make install clean
Copy the rancid.conf.sample to rancid.conf; Conf file is pretty well commented.
# cp /usr/local/etc/rancid.conf.sample /usr/local/etc/rancid.conf
I only uncomment the following:
LIST_OF_GROUPS="networks" MAILDOMAIN="@yourdomain.tld"; export MAILDOMAIN
Then create a “rancid” user account to run rancid.
# pw user add rancid
Let’s make sure the rancid is for rancid only.
# chown -R rancid:rancid /usr/local/etc/rancid
Now copy the cloginrc.sample to your ~rancid (rancid user) and then copy it to .cloginrc file. Then make sure again it’s for rancid only:
# chown rancid:rancid .cloginrc # vi .cloginrc
Here is an example on mine
add user * rancid will log in as the rancid user if the device uses a username prompt i.e. tacacs+
add password *-pix-fw add method *-pix-fw ssh
The above will log into any host matching somehost-pix.fw as rancid with the above specified passwords
add password specific-hosting-fw add method specific-hosting-fw ssh
The above will log only into the firewall whose host is specific-hosting-fw as rancid with the above specified passwords
# all our routers, i.e.: everything else add password * # set ssh encryption type, dflt: 3des add cyphertype *
Then let’s try it.
clogin [router IP]
[rancid@lab ~]$ /usr/local/libexec/rancid/clogin 10.0.0.1 10.0.0.1 spawn telnet 10.0.0.1 Trying 10.0.0.1... Connected to CISCO-1. Escape character is '^]'. CISCO-1 line 162 User Access Verification Username: rancid Password: CISCO-1>enable Password: CISCO-1#
You might consider to link the clogin to /usr/sbin just a suggestion.
Now let’s set up the CVS… do this with root
# cd /usr/local/ # rm -fr var/rancid # mkdir /usr/local/var/rancid # chown -R rancid:rancid /usr/local/var/rancid
Then logout as root and login as rancid user; run the cvs.
You should see diff and logs is created in /usr/local/var/rancid
CVS ---- CVS log logs ---- logs networks ---- created based on your group on rancid.conf
Let’s add the router on the database…
# vi /usr/local/var/rancid/networks/router.db 10.0.0.1:cisco:up /usr/local/bin/rancid-run
Then check your email… If you received something then you’re done.