Hello,
Have seen a lot of customers looking for information on who, or which user changed the config on the call manager.
heres a cisco document regarding the same:
http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/service/8_0_1/admin/saaulog.html
Basically audit logs can help you on this issue, to get some useful information.
The audit logs need to be set to detailed for getting relevant information, to set the audit logs to detailed follow the following steps:
Please set the audit logs to detailed from the serviceability page:
Trace>>configuration>>server select the publisher
Service group>>performances and monitor services
Service>>Cisco audit event service.
Set it to detailed.
You can collect the audit logs from the RTMT tool:
Login to the RTMT>>trace and log central>>collect files>>>select the cisco audit event service.
Now in analysis below:
created a super user with id kusatija, logged in and deleted the phone with DN 7143
here a snippet from the trace:
Line 510: 12/14/2010 09:08:33.797 |LogMessage UserID :kusatija ClientAddress :10.78.167.46 Severity :5 EventType :GeneralConfigurationUpdate ResourceAccessed:CUCMAdmin EventStatus :Success AuditDetails : record in table devicenumplanmap with key field dnorpattern = 7143 updated ComponentID :Cisco CUCM Administration App ID:Cisco Tomcat Cluster ID: Node ID:cucmlab|
Line 511: 12/14/2010 09:08:42.794 |LogMessage UserID :kusatija ClientAddress :10.78.167.46 Severity :5 EventType :GeneralConfigurationUpdate ResourceAccessed:CUCMAdmin EventStatus :Success AuditDetails : record in table devicenumplanmap with key field dnorpattern = 7143 updated ComponentID :Cisco CUCM Administration App ID:Cisco Tomcat Cluster ID: Node ID:cucmlab|
Line 512: 12/14/2010 09:09:47.200 |LogMessage UserID :kusatija ClientAddress :10.78.167.46 Severity :5 EventType :GeneralConfigurationUpdate ResourceAccessed:CUCMAdmin EventStatus :Success AuditDetails : record in table devicenumplanmap with key field dnorpattern = 7143 updated ComponentID :Cisco CUCM Administration App ID:Cisco Tomcat Cluster ID: Node ID:cucmlab|
Line 514: 12/14/2010 09:35:51.504 |LogMessage UserID :kusatija ClientAddress :10.78.167.46 Severity :5 EventType :UserLogging ResourceAccessed:CUCMAdmin EventStatus :Success AuditDetails :Successfully Logged out Cisco CCM Web Pages ComponentID :Cisco CUCM Administration App ID:Cisco Tomcat Cluster ID: Node ID:cucmlab|
So basically you get the following info:
In the logs I see the timestamp: 12/14/2010 09:08:33.797
User id: kusatija
And the DN deleted 7143
IP addr of the machine from where I logged in 10.78.167.46
You can also track the MAC address of the phone deleted.
So next time you need to know which user at what time made config changes(like deleted phones, users, moh files etc) you know where to look at.
Attaching the logs from lab as well.
HTH
Kunal