Change Audit report mistery entry

sgonzalp · ‎05-16-2003

An entry appeared in the change audit report with this parameters:

Device name: 20.23.40.2

User name= unknown

Application name= Configuration Archive

Host name= CWKS2K

Creation time= 16 May 2003 02:34:08 CDT

Connection mode= snmp

Category= Config

Message= Scheduled Update

This are the facts:

The details of the entry show an actual config change.

This is from a recent CW2K installation.

The ones who have the cwks password didn't make the change.

The change to the device config was made apparently by telnet by a network operator, but it is reported as made by snmp and from the server (CWKS2K)

Any ideas? is this entry incorrect? is this an indication of a password compromise? is this a normal entry of another procedure who could have changed the config? (we did not scheduled one)

rmushtaq · ‎05-16-2003

Was a config change made to this device?. If under Change Probe Setup, Syslog and/or Config Retrieval Schedule are checked then this would trigger an automatic config fetch by CW2K

sgonzalp · ‎05-16-2003

Yeah, the fact that the entry appeared in the change audit report was because a config retrieval was scheduled... what is making me wonder is the fact that the report indicates that a configuration change was made from the server via snmp at midnight, but we didnt scheduled any config from the cwks, which apparently leaves us with two options:

- Our password was compromised and the config was made from within cwks (not likely)

- The config change was made by other medium and the audit change reported it incorrectly (because the report says the config was made FROM the server).

Am I wrong with this or are there any other options?