Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1419
Views
0
Helpful
4
Replies

How to check if someone make changes in calling search space in a directory

Go to solution
asheesh.gupta11
Level 1
Level 1

‎02-18-2019 01:36 AM - edited ‎03-17-2019 07:51 PM

Hi All

 

 few days before someone change  css in a directory no., i just want to know how can i check that which user made the change.

i already download audit log,security log via rtmt  but not able to find out.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Unger
Level 7
Level 7
In response to asheesh.gupta11

‎02-18-2019 11:31 PM - edited ‎02-18-2019 11:31 PM

Hi There,

 

If someone changed the CSS of a directory number there should be an audit entry similar to the following (I pulled this from a CUCM 12 system with default audit logging enabled):


23:15:46.097 |LogMessage UserID : jsmith@example.com ClientAddress : 10.100.192.154 Severity : 5 EventType : GeneralConfigurationUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration CorrelationID : AuditDetails : record in table numplan with key field dnorpattern = 1000 updated App ID: Cisco Tomcat Cluster ID: Node ID: example-pub-01

 

Breakdown:

  1. UserID: Ultimately this is what you are after. In your case, if a generic administrator account was being used, your only hope would be #2. This is a very important reason to give admins unique accounts and not use a generic admin account.

  2. Client Address: The IP address of the client who made the change. If the logs are available, cross reference the DHCP lease table to the MAC address of the client (buy a beer for your friends on the network team). Use the MAC of the client to ultimately determine which "machine" made the change. This may be further complicated if users share PCs or if they were using a wireless Windows 10 client (WiFi MAC addresses are randomized each connection).

  3. Event Type: "GeneralConfigurationUpdate" The type of audit event type for a configuration change.

  4. AuditDetails: The DN with extension 1000 was updated.

 

For future reference, to figure out what to look for in a log when you don't know what to look for, re-create the config change or issue in a controlled manner and review the log. You can use the time of the change/issue or search on specific known keywords to find the reference log you created.

 

In this case I changed the CSS of a test DN (1000) while monitoring the audit log in real-time. From the CLI of the CUCM node you are making the config change on run "file tail activelog audit/AuditApp/ recent". I find this method easier than making a change and then downloading the log from RTMT...

 

Hope this helps!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎02-18-2019 04:37 AM

The Audit Log can be downloaded using RTMT. By default it will include the username and GUID of the record modified (this is visible in the browser URL when viewing the DN). It won’t say what they modified without enabling advanced logging, but you appear to already know what was changed are only asking who.
0 Helpful

Go to solution
asheesh.gupta11
Level 1
Level 1
In response to Jonathan Schulenberg

‎02-18-2019 04:46 AM

Hi Jonathan

 

 Thanks for your help.

 it only shows that a user made a device update and general configuration update as shown in attached screen shot, but i want to know that who made change to the css of a directory.

Is there any way to find out.

 

Preview file
4 KB
0 Helpful

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to asheesh.gupta11

‎02-18-2019 04:54 AM

If the user did it from the Device Association page of the DN it likely caused a new DN record to be created/inserted in the DB. (Not in front of the lab or I would try to recreate.)

 

PS- That “CUCMAdmin” in the screenshot isn’t the built-in admin account I hope. That would undermine your ability to answer “who”.

0 Helpful

Go to solution
Jonathan Unger
Level 7
Level 7
In response to asheesh.gupta11

‎02-18-2019 11:31 PM - edited ‎02-18-2019 11:31 PM

Hi There,

 

If someone changed the CSS of a directory number there should be an audit entry similar to the following (I pulled this from a CUCM 12 system with default audit logging enabled):


23:15:46.097 |LogMessage UserID : jsmith@example.com ClientAddress : 10.100.192.154 Severity : 5 EventType : GeneralConfigurationUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration CorrelationID : AuditDetails : record in table numplan with key field dnorpattern = 1000 updated App ID: Cisco Tomcat Cluster ID: Node ID: example-pub-01

 

Breakdown:

  1. UserID: Ultimately this is what you are after. In your case, if a generic administrator account was being used, your only hope would be #2. This is a very important reason to give admins unique accounts and not use a generic admin account.

  2. Client Address: The IP address of the client who made the change. If the logs are available, cross reference the DHCP lease table to the MAC address of the client (buy a beer for your friends on the network team). Use the MAC of the client to ultimately determine which "machine" made the change. This may be further complicated if users share PCs or if they were using a wireless Windows 10 client (WiFi MAC addresses are randomized each connection).

  3. Event Type: "GeneralConfigurationUpdate" The type of audit event type for a configuration change.

  4. AuditDetails: The DN with extension 1000 was updated.

 

For future reference, to figure out what to look for in a log when you don't know what to look for, re-create the config change or issue in a controlled manner and review the log. You can use the time of the change/issue or search on specific known keywords to find the reference log you created.

 

In this case I changed the CSS of a test DN (1000) while monitoring the audit log in real-time. From the CLI of the CUCM node you are making the config change on run "file tail activelog audit/AuditApp/ recent". I find this method easier than making a change and then downloading the log from RTMT...

 

Hope this helps!

0 Helpful
Customers Also Viewed These Support Documents