Utils auditd status question

Answered Question
Jun 7th, 2010
User Badges:

When I run utils auditd status from the CLI it says that auditd is stopped.  I've configured auditing via Serviceability GUI.


The command line reference for utils auditd status is:


utils auditd:


This command enables, disables, and provides the status of audit logging. When enabled, the system monitors and records user actions in both Cisco Unified Communications Manager and Cisco Unified Serviceability.


I can read the audit logs via RTMT or the command line without any problem.  Just curious if anyone knows why this command lists auditd as stopped? Is it a different process than the one seen in Serviceability?

Correct Answer by David Hailey about 6 years 9 months ago

We may be speaking the same language, it's been a while since I've looked at audit logging.  But, I was under the impression that the CLI command you referenced is tied to the OS adminstration log.  See the excerpt from the Troubleshooting Guide for CUCM:


Operating System Log

The operating system audit log, which displays in the vos folder in  RTMT, reports events that are triggered by the operating system. It does  not get enabled by default. The utils auditd CLI  command enables, disables, or gives status about the events.

The vos folder does not display in RTMT unless the audit is enabled in  the CLI.


Hailey


Please rate helpful posts!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
David Hailey Mon, 06/07/2010 - 12:16
User Badges:
  • Purple, 4500 points or more

We may be speaking the same language, it's been a while since I've looked at audit logging.  But, I was under the impression that the CLI command you referenced is tied to the OS adminstration log.  See the excerpt from the Troubleshooting Guide for CUCM:


Operating System Log

The operating system audit log, which displays in the vos folder in  RTMT, reports events that are triggered by the operating system. It does  not get enabled by default. The utils auditd CLI  command enables, disables, or gives status about the events.

The vos folder does not display in RTMT unless the audit is enabled in  the CLI.


Hailey


Please rate helpful posts!

mmendonca Mon, 06/07/2010 - 13:00
User Badges:

David thanks for a great answer.


The command line reference http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cli_ref/7_1_3/cli_ref_713.html#wp46989 says:


This command enables, disables, and provides the status of audit logging. When enabled, the system monitors and records user actions in both Cisco Unified Communications Manager and Cisco Unified Serviceability.


Nothing is said about VOS audit log.


I tested what you posted by enabling it at the CLI with the command utils auditd enable.  Prior to enabling it I only saw 2 folders under the Cisco Audit Logs folder in RTMT; AuditApp and informixauditlogs.   After enabling it I then saw the previous 2 and the VOS folder with the vos-audit.log file in it.


If your colleague Bill Bell happens to read this he might want to add this to his already excellent blog on Cisco Audit configuration.


Mark

William Bell Mon, 06/07/2010 - 13:14
User Badges:
  • Purple, 4500 points or more

Hailey,


Solid answer (+5 to you).


Mark,


When I saw your original post I thought that I should expand the blog article to include OS auditing.  So, I will definitely add this topic into the mix.  Thanks for the input and thanks for reading.


Regards,
Bill

Actions

This Discussion