Automated Documentation
Objective
In this lesson you will configure IOS features to enable automated, auditable network documentation: consistent timestamps, centralized logging, automatic configuration archival, SNMP telemetry for inventory, and an EEM trigger to export configs on change. This matters because accurate, time-stamped logs and automated backups are essential for troubleshooting, compliance audits, and feeding an LLM/automation system that generates change logs, runbooks, and human-readable documentation. In production, these mechanisms are the inputs an AI system consumes to produce accurate, temporal documentation and change histories.
Quick Recap
We are continuing from the topology used in Lesson 1. No core routing or interface changes from Lesson 1 are required for this lab; instead we add management infrastructure on the existing management LAN. The new servers (logging, archive/tftp, NTP, SNMP-poller) are reachable from Router R1 via its management interface GigabitEthernet0/1.
ASCII Topology (new/changed interfaces and IPs shown)
192.168.12.1/24 192.168.12.2/24
[R1] GigabitEthernet0/0 ---------------------- GigabitEthernet0/0 [R2]
(HQ backbone) (Branch backbone)
[R1]
GigabitEthernet0/1 10.0.0.1/24
|
| (management LAN)
|-----------------------------------------------------------
| 10.0.0.10 Management Host
| 10.0.0.50 NTP Server
| 10.0.0.100 Syslog Server
| 10.0.0.101 SNMP Poller / Automation
| 10.0.0.200 TFTP/Archive Server
|
Device Table
| Device | Role | Management IP |
|---|---|---|
| R1 (Router) | HQ router / config source | 10.0.0.1 (Gi0/1) |
| R2 (Router) | Branch router | 192.168.12.2 (Gi0/0) |
| Management Host | Admin workstation | 10.0.0.10 |
| NTP Server | Time service | 10.0.0.50 |
| Syslog Server | Central log collector | 10.0.0.100 |
| SNMP Poller | Automation / inventory | 10.0.0.101 |
| Archive/TFTP Server | Config archive target | 10.0.0.200 |
All domain names in examples: lab.nhprep.com. Use Lab@123 as any password when required.
Key Concepts
- Timestamps & Time Sync: Logs and config snapshots must be time-synchronized. If device clocks differ, automated documentation will show inconsistent event ordering. NTP keeps device clocks aligned;
service timestampsadds readable timestamps to logs and debug output. - Centralized Logging: Routers should send syslog to a central collector. The collector keeps long-term archives, indexes messages for later AI parsing, and reduces on-box state. On IOS, the router forwards syslog messages using UDP to the syslog host.
- Archive & Automated Backups: The IOS
archivefeature can periodically and/or on-demand copy running-config to an external server (TFTP/FTP). Saving configurations on change produces a verifiable change history (inputs for change logs). - Event-driven Export (EEM): The Embedded Event Manager can react to events (e.g., configuration change syslog messages) and run CLI commands to export the running-config. EEM provides automated triggers so you get a snapshot immediately after change.
- SNMP for Inventory: SNMP provides structured data (device model, serial, interface status) that automation systems use to populate documentation and runbooks. Use read-only community or SNMPv3 in production (we use community here for lab simplicity).
Step-by-step configuration
Step 1: Configure NTP and timestamps
What we are doing: Ensure the router’s clock is synchronized to a trusted NTP server and enable precise timestamps in logs. Accurate timestamps are critical for ordering events that the AI will use to create change logs.
configure terminal
ntp server 10.0.0.50
service timestamps log datetime msec localtime
service timestamps debug datetime msec localtime
exit
What just happened: The ntp server command points the router to the NTP server at 10.0.0.50 so the device can synchronize time. The service timestamps commands enable human-readable date/time with millisecond resolution for both log and debug messages and force use of the local timezone. With correct time, syslog entries and archived configuration files will carry reliable timestamps.
Real-world note: In production, you typically point devices to redundant NTP servers (internal primary + secondary) and ensure NTP access is controlled. Accurate time is also critical for security logs and certificate validation.
Verify:
show ntp status
Expected output:
Clock is synchronized, stratum 2, reference is 10.0.0.50
nominal freq is 25000 Hz, actual freq is 24999 Hz, precision is 2**17
reference time is D:00:31:52.123 UTC Wed Apr 1 2026
clock offset is 0.005 msec, root delay is 1.234 msec, root dispersion is 2.345 msec
peer type is server, stratum is 2, delay is 0.98, offset is 0.005
Step 2: Configure syslog forwarding and logging options
What we are doing: Configure the router to forward syslog messages to a central syslog server and enable appropriate trap level. This centralization is how an LLM-based documentation system ingests event data.
configure terminal
logging host 10.0.0.100
logging trap informational
logging source-interface GigabitEthernet0/1
service sequence-numbers
exit
What just happened: logging host 10.0.0.100 configures the syslog destination. logging trap informational sets the minimum severity level sent to the server (informational and more severe). logging source-interface fixes the source IP for syslog packets to the management interface (important for server ACLs and consistent source). service sequence-numbers appends sequence numbers to syslog messages, helping reassembly and ordering on the collector.
Real-world note: Use a reliable transport (TCP or TLS syslog/rsyslog) in production when available, and restrict which hosts can receive syslog. Also choose sensible severity levels—too verbose and the collector will be flooded.
Verify:
show logging
Expected output (abridged only in presentation; here we give complete relevant portion):
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filter disabled)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 0 messages logged
Trap logging: level informational, 0 message lines logged
Logging source-interface: GigabitEthernet0/1
Log Queue: 1000/4096 bytes
No active filter modules.
Logging host 10.0.0.100
Step 3: Configure archive for periodic backups and change notification
What we are doing: Enable the IOS archive feature to automatically save running-config snapshots periodically and notify syslog when config is changed or archived. This gives the automation system a continuous history it can index.
configure terminal
archive
log config
logging enable
logging size 200
notify syslog
hidekeys
path tftp://10.0.0.200/backup-config
write-memory
time-period 1440
exit
What just happened: Entering archive creates a config-archival policy. log config turns on change logging and buffers recent change lines. notify syslog causes the router to send a syslog entry when an archive action occurs. path tftp://10.0.0.200/backup-config specifies the external target; write-memory ensures the archive runs whenever write memory executes. time-period 1440 schedules a daily automatic archival. These archives are the raw snapshots an AI system can parse to produce change logs and configuration diffs.
Real-world note: In production, use authenticated transfer (SCP/FTP with credentials or a secure API) rather than TFTP. If you use TFTP, protect access to the TFTP server since it is insecure. Also include device hostname in filenames to avoid overwrites.
Verify:
show running-config | section archive
show archive
Expected outputs:
archive
log config
logging enable
logging size 200
notify syslog
hidekeys
path tftp://10.0.0.200/backup-config
write-memory
time-period 1440
Archive configuration:
Archive type: tftp
Path: tftp://10.0.0.200/backup-config
Write memory after archive: Yes
Time period: 1440 minutes
Log config: Enabled
Logging size: 200
Notify syslog: Enabled
Hidekeys: Enabled
Step 4: Configure SNMP read access for inventory
What we are doing: Allow a read-only SNMP collector to poll the device. SNMP provides structured device information (model, serial, interface list) that AI systems use to populate device inventory and runbooks.
configure terminal
snmp-server community NHPREP RO
snmp-server host 10.0.0.101 version 2c NHPREP
exit
What just happened: snmp-server community NHPREP RO creates a read-only community named NHPREP. snmp-server host directs SNMP traps/notifications to the automation host 10.0.0.101 using the same community string. The SNMP poller can now query standard MIBs for inventory and interface status.
Real-world note: In production use SNMPv3 with authentication and encryption. Community strings should be treated as sensitive data and rotated regularly.
Verify:
show snmp community
show snmp host
Expected outputs:
Community name: NHPREP
Read-only access
SNMP host 10.0.0.101:
Version: 2c
Community: NHPREP
Port: 162
Traps enabled: yes
Step 5: Configure EEM to export running-config on configuration change
What we are doing: Create an EEM applet that triggers when a configuration change occurs and immediately copies the running-config to the TFTP archive server. This guarantees the configuration at the moment of change is captured for change logs and diffing.
configure terminal
event manager applet ArchiveOnConfig
event syslog pattern "SYS-5-CONFIG_I"
action 1.0 cli command "enable"
action 2.0 cli command "copy running-config tftp://10.0.0.200/backup-config"
exit
What just happened: event manager applet ArchiveOnConfig creates an EEM applet. The event syslog pattern "SYS-5-CONFIG_I" listens for the standard IOS syslog message emitted after successful configuration changes. When that syslog appears, EEM runs CLI actions: enter privileged mode and run copy running-config tftp://... to push the snapshot to the archive server. The immediate export provides a timestamped snapshot that can be ingested by the documentation pipeline.
Real-world note: Use unique filenames (include hostname and timestamp) in production to avoid overwriting previous snapshots. EEM must be tested to ensure it has the required privileges to execute CLI actions.
Verify:
show event manager policy registered
show event manager history
Expected outputs:
Policy registered:
Name: ArchiveOnConfig
Type: applet
Data: event syslog pattern "SYS-5-CONFIG_I"
action 1.0 cli command "enable"
action 2.0 cli command "copy running-config tftp://10.0.0.200/backup-config"
Event Manager History:
Policy Name: ArchiveOnConfig
Time: Apr 01 12:31:52
Result: action 2.0 executed, exit status 0
Stdout: Copy complete. 12345 bytes copied to tftp://10.0.0.200/backup-config
Verification Checklist
- Check 1: NTP is synchronized. Verify with
show ntp statusand confirm "Clock is synchronized". - Check 2: Syslog is forwarding. Verify with
show loggingand confirmLogging host 10.0.0.100and source-interface is GigabitEthernet0/1. - Check 3: Archive policy present and periodic backups configured. Verify with
show archiveand confirm pathtftp://10.0.0.200/backup-configandtime-period 1440. - Check 4: EEM applet registered and executed on config change. Verify with
show event manager policy registeredandshow event manager history, then perform a configuration change and validate a file appears on the TFTP server.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| Syslog messages not visible on the collector | Router uses wrong source IP and collector ACL drops messages | Set logging source-interface GigabitEthernet0/1 so messages come from 10.0.0.1; adjust collector ACLs |
| Archive file not present on TFTP server after change | EEM copy command failed due to filename collision, permission, or network reachability | Test manual copy running-config tftp://10.0.0.200/backup-config. Use unique filenames; ensure TFTP server running and accessible |
| NTP not synchronized (stratum 16 or unsynchronized) | NTP server unreachable or firewall blocking UDP/123 | Verify reachability (ping 10.0.0.50), verify firewall allows UDP/123; check show ntp associations |
| SNMP inventory missing or incomplete | Wrong community string or SNMPv2 configured but poller expects SNMPv3 | Confirm community with show snmp community and configure poller to use community "NHPREP"; migrate to SNMPv3 for production |
| EEM applet never triggers | EEM filter pattern mismatches syslog message or EEM disabled | Generate a config change and watch show logging to capture the exact syslog text; adjust the EEM event syslog pattern accordingly |
Key Takeaways
- Always synchronize device clocks (NTP) and enable precise timestamps—accurate timing is essential for building correct change logs and runbooks.
- Centralized logging and archival are the primary inputs an LLM or automation engine uses to generate documentation; make these sources reliable and immutable where possible.
- Use the IOS
archivefeature and EEM to automate configuration snapshots on changes; automate early and capture state immediately after changes to preserve auditability. - In production, prefer secure transports (SCP/FTP/SNMPv3/TLS) and include unique filenames (hostname + timestamp) to avoid overwrites; these details matter when feeding data to an AI for consistent historical documentation.
Tip: After you confirm the workflow in the lab, integrate the syslog and archive outputs into your documentation pipeline—index logs and archived configs in a searchable datastore so an LLM or automation engine can reliably build chronological change histories and runbooks.