There's definitely no special magic here, and generally speaking, Puppet is not a monitoring tool, it's a configuration management tool.
It's really good at telling you when something is different from the configuration you DO want and are enforcing (even in noop mode, for auditing).
It's not great at telling you if anything at all on a system (Cisco, Linux or otherwise) is different than it was yesterday.
Even for "retrieving a base configuration" - typically different configuration options are d=vided up into resource types. So, just like a Linux system is divided up into many files, services, etc. and you can't just have Puppet tell me "take a baseline and tell me if ANYTHING ever changes on this system", you're highly unlikely to be able to do that with a Cisco device using Puppet either.
E.g. no matter how well or how poorly Puppet manages Cisco devices, you're still going to have resources like vlan, interface, etc., each which can be independently managed.
puppet resource for example.
You can run
puppet resource user on a Linux system to get a picture of how Puppet sees all users on the system. You can't however say,
puppet resource all_resources or something like that to get a complete picture of the entire system. That would mean every file, every user, every service, etc. Puppet doesn't do that, and it's not what Puppet is for. That's what tools like Tripwire are for - Puppet is a configuration management tool not a monitoring system or a "deep freeze on this server" system.
Similarly for a Cisco device you're going to end up with things like
puppet resource vlan or
puppet resource interface and things like that. They might output the configs of all known interfaces, or all known vlans, etc, but you can't just ask Puppet for "tell me everything you could possibly know about a Cisco device, for each Cisco device I have, and tell me when anything changes".
If you do want to monitor things like that with Puppet, you'll ultimately need to write code that enforces that state (perhaps generated from the output of puppet resource, which outputs valid puppet code), and then enforce that code in noop mode regularly, to see what deviated. But it's still not going to "take a baseline" and then tell you if "anything at all" has changed on the system.
If that's really what you want, RANCID is probably your best bet. You could probably puppetize it! But Puppet is not the right tool for monitoring it, or for monitoring in general. That's what tripwire is for, that's what nagios is for, that's what things like rancid can supplement, etc.
I know that's probably not the answer you were looking for, but hopefully it explains what Puppet is for, how you can use it, etc.
Puppet is for deploying the configuration you do ... (more)