06-07-2010 09:11 AM - edited 03-19-2019 01:02 AM
When I run utils auditd status from the CLI it says that auditd is stopped. I've configured auditing via Serviceability GUI.
The command line reference for utils auditd status is:
utils auditd:
This command enables, disables, and provides the status of audit logging. When enabled, the system monitors and records user actions in both Cisco Unified Communications Manager and Cisco Unified Serviceability.
I can read the audit logs via RTMT or the command line without any problem. Just curious if anyone knows why this command lists auditd as stopped? Is it a different process than the one seen in Serviceability?
Solved! Go to Solution.
06-07-2010 12:16 PM
We may be speaking the same language, it's been a while since I've looked at audit logging. But, I was under the impression that the CLI command you referenced is tied to the OS adminstration log. See the excerpt from the Troubleshooting Guide for CUCM:
Operating System Log
The operating system audit log, which displays in the vos folder in RTMT, reports events that are triggered by the operating system. It does not get enabled by default. The utils auditd CLI command enables, disables, or gives status about the events.
The vos folder does not display in RTMT unless the audit is enabled in the CLI.
Hailey
Please rate helpful posts!
06-07-2010 12:16 PM
We may be speaking the same language, it's been a while since I've looked at audit logging. But, I was under the impression that the CLI command you referenced is tied to the OS adminstration log. See the excerpt from the Troubleshooting Guide for CUCM:
Operating System Log
The operating system audit log, which displays in the vos folder in RTMT, reports events that are triggered by the operating system. It does not get enabled by default. The utils auditd CLI command enables, disables, or gives status about the events.
The vos folder does not display in RTMT unless the audit is enabled in the CLI.
Hailey
Please rate helpful posts!
06-07-2010 01:00 PM
David thanks for a great answer.
The command line reference http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cli_ref/7_1_3/cli_ref_713.html#wp46989 says:
This command enables, disables, and provides the status of audit logging. When enabled, the system monitors and records user actions in both Cisco Unified Communications Manager and Cisco Unified Serviceability.
Nothing is said about VOS audit log.
I tested what you posted by enabling it at the CLI with the command utils auditd enable. Prior to enabling it I only saw 2 folders under the Cisco Audit Logs folder in RTMT; AuditApp and informixauditlogs. After enabling it I then saw the previous 2 and the VOS folder with the vos-audit.log file in it.
If your colleague Bill Bell happens to read this he might want to add this to his already excellent blog on Cisco Audit configuration.
Mark
06-07-2010 01:14 PM
Hailey,
Solid answer (+5 to you).
Mark,
When I saw your original post I thought that I should expand the blog article to include OS auditing. So, I will definitely add this topic into the mix. Thanks for the input and thanks for reading.
Regards,
Bill
Please remember to rate helpful responses and identify
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: