12-14-2011 04:08 AM - edited 03-16-2019 08:32 AM
Hi all,
We are working for a customer for Voice transformation.
As part of country regulations, we need to secure audit logs (add/modify/delete partitions/CSS etc) on Cisco CUCM 8.5 and should NOT be tampered by anyone (not even Cisco CUCM Administrators). If somebody edits, it should also be tracked.
Is there any way to meet this requirement? We can encrypt while transferred to a FTP server but unable to load them to show to Auditors.
Regards....
-Ashok.
Solved! Go to Solution.
12-14-2011 05:17 AM
Ok.This is great news. This means we can't access the audit logs from Cisco CUCM CLI and edit them, right?
That is correct.
I am really concerned about Off Box solution. How can we store into offbox server (SFTP) and can retrieve when needed? Are there any third party solutions to them?
I can think of two ways to get the audit logs off box. The first is leveraging the syslog facility. When you go to Tools>Audit Log Configuration in CCMService you can specify a syslog destination. That will send a coopy of the audit log to a specific syslog server. Though, that stream will not be encrypted in transit. Which may or may not be a problem for your auditors. I imagine that if you can prove that it is near impossible for someone to introduce a man-in-the-middle scenario then you could go this route. Auditing isn't about who can see the info as much as it is about ensuring that malicious folks can't modify the info. Since you can specify a separate syslog destination, you can put these audit logs on a server that only select people can access.
The second route is SFTP and would involve some CLI scripting. You could setup a scheduled batch process on the secure repository (off box host) that can SSH to the CUCM and run the necessary commands to SFTP files off box using the "file get
I am not aware of an API that can be used for audit logs (i.e. like CDR).
I think you can implement a solution that satisfies all needs. You may need to pull in some extra resources (internally or a consultant) to work on the finer details, but it isn't all that difficult to get from point A to point B.
Oh, and I think I recall seeing some product that does this but I don't recall the name and I didn't research it heavily since there are valid methods to do this without a software purchase.
HTH.
Regards,
Bill
please rate helpful posts
Please remember to rate helpful responses and identify
12-14-2011 04:35 AM
Ashok,
You can't edit the audit logs as they are stored on the CUCM 8.5 host. There is no facility to open/edit/save on the host. It is also not possible to download a file from CUCM, edit it, and upload it again.
The retention of said logs on the CUCM is a slightly different matter. They use a circular maintenance model by default. This is where you get into an off box solution. Which I think should be leveraged to comply with your audit requirements. Well, I said "should".
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
12-14-2011 04:42 AM
Thanks Bill for your quick reply.
Ok.This is great news. This means we can't access the audit logs from Cisco CUCM CLI and edit them, right?
I am really concerned about Off Box solution. How can we store into offbox server (SFTP) and can retrieve when needed? Are there any third party solutions to them?
Regards...
-Ashok.
12-14-2011 05:17 AM
Ok.This is great news. This means we can't access the audit logs from Cisco CUCM CLI and edit them, right?
That is correct.
I am really concerned about Off Box solution. How can we store into offbox server (SFTP) and can retrieve when needed? Are there any third party solutions to them?
I can think of two ways to get the audit logs off box. The first is leveraging the syslog facility. When you go to Tools>Audit Log Configuration in CCMService you can specify a syslog destination. That will send a coopy of the audit log to a specific syslog server. Though, that stream will not be encrypted in transit. Which may or may not be a problem for your auditors. I imagine that if you can prove that it is near impossible for someone to introduce a man-in-the-middle scenario then you could go this route. Auditing isn't about who can see the info as much as it is about ensuring that malicious folks can't modify the info. Since you can specify a separate syslog destination, you can put these audit logs on a server that only select people can access.
The second route is SFTP and would involve some CLI scripting. You could setup a scheduled batch process on the secure repository (off box host) that can SSH to the CUCM and run the necessary commands to SFTP files off box using the "file get
I am not aware of an API that can be used for audit logs (i.e. like CDR).
I think you can implement a solution that satisfies all needs. You may need to pull in some extra resources (internally or a consultant) to work on the finer details, but it isn't all that difficult to get from point A to point B.
Oh, and I think I recall seeing some product that does this but I don't recall the name and I didn't research it heavily since there are valid methods to do this without a software purchase.
HTH.
Regards,
Bill
please rate helpful posts
Please remember to rate helpful responses and identify
12-14-2011 09:59 PM
Hi Bell,
Thanks a lot for your detailed reply.
It has really given me some insight to possible solutions for this requirement.
Thanks again
Regards...
-Ashok.
12-14-2011 11:53 PM
Hi Ashok,
About your concern regarding the logs not being tampered by anyone, one more thing to consider is that there is a specific user role that can be assigned or removed from users, which enables the specified users to be able to change audit log settings (like setting the log level or disabling the logging altogether) You may consider removing this role from the CUCM administrator.
"...only a user with an audit role can change the audit log settings. By default, for Cisco Unified Communications Manager, the CCMAdministrator possesses the audit role after fresh installs and upgrades. The CCMAdministrator can assign any user that has auditing privileges to the Standard Audit Users group in the User Group Configuration window in Cisco Unified Communications Manager Administration. If you want to do so, you can then remove CCMAdministrator from the Standard Audit Users group." (CUCM 8.5 Serviceability Admin Guide)
Also for scheduled secure transfer of these logs, an easier way might be to use Real Time Monitoring Tool (RTMT) -for one time only- to schedule a log collection, setting the collection period (eg. once a day) and SFTP target.
Best Regards,
Baris.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide