Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Audit Logs, collection and analysis

Hello,

Have seen a lot of customers looking for information on who, or which user changed the config on the call manager.

heres a cisco document regarding the same:

http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/service/8_0_1/admin/saaulog.html


Basically audit logs can help you on this issue, to get some useful information.

The audit logs need to be set to detailed for getting relevant information, to set the audit logs to detailed follow the following steps:

Please set the audit logs to  detailed from the serviceability page:

Trace>>configuration>>server  select the publisher

Service group>>performances  and monitor services

Service>>Cisco audit event  service.

Set it to detailed.

You can collect the audit logs from  the RTMT tool:

Login to the RTMT>>trace and  log central>>collect files>>>select the cisco audit event  service.

Now in analysis below:

created a super user with id kusatija, logged in and deleted the phone with DN  7143

here a snippet from the trace:

Line 510: 12/14/2010 09:08:33.797  |LogMessage   UserID :kusatija   ClientAddress :10.78.167.46  Severity :5  EventType :GeneralConfigurationUpdate   ResourceAccessed:CUCMAdmin  EventStatus :Success  AuditDetails : record in table  devicenumplanmap with key field dnorpattern = 7143 updated   ComponentID :Cisco CUCM  Administration App ID:Cisco Tomcat Cluster ID: Node  ID:cucmlab|

                Line 511:  12/14/2010 09:08:42.794 |LogMessage   UserID :kusatija  ClientAddress  :10.78.167.46  Severity :5  EventType :GeneralConfigurationUpdate   ResourceAccessed:CUCMAdmin  EventStatus :Success  AuditDetails : record in table  devicenumplanmap with key field dnorpattern = 7143 updated   ComponentID :Cisco  CUCM Administration App ID:Cisco Tomcat Cluster ID: Node  ID:cucmlab|

                Line 512:  12/14/2010 09:09:47.200 |LogMessage   UserID :kusatija  ClientAddress  :10.78.167.46  Severity :5  EventType :GeneralConfigurationUpdate   ResourceAccessed:CUCMAdmin  EventStatus :Success  AuditDetails : record in table  devicenumplanmap with key field dnorpattern = 7143 updated   ComponentID :Cisco  CUCM Administration App ID:Cisco Tomcat Cluster ID: Node  ID:cucmlab|

                Line 514:  12/14/2010 09:35:51.504 |LogMessage   UserID :kusatija  ClientAddress  :10.78.167.46  Severity :5  EventType :UserLogging  ResourceAccessed:CUCMAdmin   EventStatus :Success  AuditDetails :Successfully Logged out Cisco CCM Web Pages   ComponentID :Cisco CUCM Administration App ID:Cisco Tomcat Cluster ID: Node  ID:cucmlab|

So basically you get the following info:

In the logs I see the timestamp: 12/14/2010  09:08:33.797

User id: kusatija

And the DN deleted 7143

IP addr of the machine from where I  logged in 10.78.167.46 

You can also track the MAC address of the phone deleted.


So next time you need to know which user at what time made config changes(like deleted phones, users, moh files etc) you know where to look at.

Attaching the logs from lab as well.

HTH


Kunal

Comments
Cisco Employee

thanks for the detailed explaination.

Cisco Employee

Kindly wanted to know whether the dnor pattern = 7143, is one that portays the deletion of the phone from the database, or do we check other parameters as well.

New Member

What tool did you use to read the .log file? I can read your example in Excel but when I open my own does not read the same at all.  Thanks in advance! Bob

3087
Views
15
Helpful
3
Comments