Solved: cucm 8.6 - Doubt about Audit Log

wilsonsant · ‎09-11-2013

Hi Guys,

I have the following doubt: I enabled audit log in serviceability and did changes about IP Phone parameters. I collected the logs about RTMT, and I would like know if the logs about RTMT is able to show, for example, change in the display about IP Telephone. I did the test, but, didn´t appear.

10:45:58.014 |LogMessage UserID : administrator ClientAddress : 172.16.64.23 Severity : 5 EventType : GeneralConfigurationUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration AuditDetails : record in table device with key field name = ABCDEF222222 added App ID: Cisco Tomcat Cluster ID: Node ID: SPOCCMHOMOLOGA

10:46:38.731 |LogMessage UserID : administrator ClientAddress : 172.16.64.23 Severity : 5 EventType : GeneralConfigurationUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration AuditDetails : record in table numplan with key field dnorpattern = 4002 updated App ID: Cisco Tomcat Cluster ID: Node ID: SPOCCMHOMOLOGA

Thanks,

Wilson

Rob Huffman · ‎09-11-2013

Hi Wilson,

In addition to the great info from Aman (+5 Aman!)

The Audit logs available with CUCM via RTMT will not show info down to that

level of changes.

Have a look at Variphy, it does offer a very granular level

of CUCM change audit tracking, plus an excellent

"snapshot" feature.

http://variphy.com/products/enterprises/cisco-audit-log

Cheers!

Rob

"Your life is worth much more than gold."

- Bob Marley

View solution in original post

Aman Soi · ‎09-11-2013

Hi Wilson,

No idea beyond this.

regds,

aman

View solution in original post

Aman Soi · ‎09-11-2013

Hi Wilson,

After u made the change , did u save the config.

regds,

aman

wilsonsant · ‎09-11-2013

Hi Amanso,

I take the 01 DN and changed the display and label text. The logs informed to me that was did change in the specific DN, but, what was changed? Is this information that I need.

11:36:49.535 |LogMessage UserID : administrator ClientAddress : 172.16.64.23 Severity : 5 EventType : GeneralConfigurationUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration AuditDetails : record in table numplan with key field dnorpattern = 4003 updated App ID: Cisco Tomcat Cluster ID: Node ID: SPOCCMHOMOLOGA

updated, but, what?

Is possible show the specific parameter that was changed?

Thanks,

Wilson

Aman Soi · ‎09-11-2013

Hi Wilson,

This is quite possible, u just get change has been made but what specific change cannot be tracked.You can trach who did it and from which IP address.

Same is true for CSS and Partition as well.

Can u try making change in partition and CSS, see what is appearing?

regds,

aman

wilsonsant · ‎09-11-2013

Hi Aman,

I changed the CSS and Partition and received the same information : updated. Not showed that I changed the CSS and Partition

12:01:19.720 |LogMessage UserID : administrator ClientAddress : 172.16.64.23 Severity : 5 EventType : GeneralConfigurationUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration AuditDetails : record in table numplan with key field dnorpattern = 4003 updated App ID: Cisco Tomcat Cluster ID: Node ID: SPOCCMHOMOLOGA

Rob Huffman · ‎09-11-2013

Hi Wilson,

In addition to the great info from Aman (+5 Aman!)

The Audit logs available with CUCM via RTMT will not show info down to that

level of changes.

Have a look at Variphy, it does offer a very granular level

of CUCM change audit tracking, plus an excellent

"snapshot" feature.

http://variphy.com/products/enterprises/cisco-audit-log

Cheers!

Rob

"Your life is worth much more than gold."

- Bob Marley

wilsonsant · ‎09-11-2013

Hi Rob,

In the version more recently (CUCM 9.x, for example) are there this service integrated? Or is independent? This product offer by variphony is homologate by Cisco?

Thanks,

Wilson

Aman Soi · ‎09-11-2013

Hi Wilson,

One way as suggested by Mr. Rob[+5] , would be third party tool .

the other way round way to enable debug level to Debug which is bit difficult and crude way of finding changes.

Go to Cisco Unified Serviceability -> Trace -> Configuration -> Select Server -> Service Group as Database and Admin Services -> Service as Cisco CCMAdmin Web Service.

Set the Debug Trace Level TO DEBUG and Apply on all nodes.

Go to Cisco Unified Serviceability -> Trace -> Configuration -> Select Server -> Service Group as Performance and Monitoring Services -> Service as Cisco Audit Event Service.

Set the Debug Trace Level to Detailed and Apply on all nodes.

Make the CSS/partition/Name change as u are doing and pull the following traces from RTMT :

RTMT -> System -> Tools -> Trace & Log Central -> Collect Files and check :

Cisco Audit Event Service

Cisco Audit Logs

Cisco CCMAdmin Web Service

Now,Download the logs and audit logs will provide IP address information and for the same time CCMAdmin logs will provide changed information

Give a try and check.

regds,

aman

wilsonsant · ‎09-11-2013

Hi Aman,

I did the procedure and not changed the scenario (not appear the field changed). In my test I changed the Partition and include de CSS, because, the DN was configured without DN.

12:23:53.199 |LogMessage UserID : administrator ClientAddress : 172.16.64.23 Severity : 5 EventType : GeneralConfigurationUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration AuditDetails : record in table numplan with key field dnorpattern = 4004 added App ID: Cisco Tomcat Cluster ID: Node ID: SPOCCMHOMOLOGA

Thanks,

Regards,

Wilson

Aman Soi · ‎09-11-2013

Hi Wilson,

No idea beyond this.

regds,

aman