Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Change Audit report mistery entry

An entry appeared in the change audit report with this parameters:

Device name:

User name= unknown

Application name= Configuration Archive

Host name= CWKS2K

Creation time= 16 May 2003 02:34:08 CDT

Connection mode= snmp

Category= Config

Message= Scheduled Update

This are the facts:

The details of the entry show an actual config change.

This is from a recent CW2K installation.

The ones who have the cwks password didn't make the change.

The change to the device config was made apparently by telnet by a network operator, but it is reported as made by snmp and from the server (CWKS2K)

Any ideas? is this entry incorrect? is this an indication of a password compromise? is this a normal entry of another procedure who could have changed the config? (we did not scheduled one)


Re: Change Audit report mistery entry

Was a config change made to this device?. If under Change Probe Setup, Syslog and/or Config Retrieval Schedule are checked then this would trigger an automatic config fetch by CW2K

New Member

Re: Change Audit report mistery entry

Yeah, the fact that the entry appeared in the change audit report was because a config retrieval was scheduled... what is making me wonder is the fact that the report indicates that a configuration change was made from the server via snmp at midnight, but we didnt scheduled any config from the cwks, which apparently leaves us with two options:

- Our password was compromised and the config was made from within cwks (not likely)

- The config change was made by other medium and the audit change reported it incorrectly (because the report says the config was made FROM the server).

Am I wrong with this or are there any other options?

CreatePlease login to create content