Logging changes to the BGP peering relationships is recommended. Any logged changes will in the best case indicate a service issue due to standard operational issues (connectivity issues and so on) or in the worst case, could indicate malicious activity attempting to subvert the peering relationship and/or the routing table. Rationale:
Solution
In each 'neigbor' stanza of the BGP configuration, add the command 'log-neighbor-changes' switch(config)# router bgp <asn> switch(config-router)# router-id <local ip, preferably a loopback> switch(config-router)# neighbor <neighbor ip address> switch(config-router-neighbor)# remote-as <neighbor asn> switch(config-router-neighbor)# log-neighbor-changes In addition, the events below should be configured in any log or SIEM solution to generate an alert for investigation. A good keyword to alert on is 'ADJCHANGE' 2020 May 20 11:54:18 CISNXOS9 %BGP-5-ADJCHANGE: bgp- [7984] (default) neighbor 10.10.10.11 Up 2020 May 20 13:08:15 CISNXOS9 %BGP-5-ADJCHANGE: bgp- [7984] (default) neighbor 10.10.10.11 Down - sent: holdtimer expired error Default Value: Not enabled