Log for changes to codecs?

ROGER MCGUIRE · ‎06-17-2013

Is anyone aware of a log anywhere that tracks changes made to individual an codec's configuration settings? The codecs are managed by a TMS system.

Danny De Ridder · ‎06-17-2013

Hello,

there's a feature on the codecs named 'audit logging'.All config changes will be logged together with login attempts.

The data can be stored in a file on the codec or you can opt to send it to a server.

Cheers,

Danny

ROGER MCGUIRE · ‎06-18-2013

Thanks Danny. Any idea where the data is logged if the "internal" option is chosen?

Danny De Ridder · ‎06-18-2013

Yes,

the log can be found under the directory :

/var/log/eventlog

And can be configured using :

xConfiguration Security Audit Server Address: ""

xConfiguration Security Audit Server Port: 514

xConfiguration Security Audit OnError Action: Ignore

xConfiguration Security Audit Logging Mode: Internal

You need to resboot the codec once you have enabled the logging.

You can also point your browser to the logfile.

http:///web/logs/file/current?file=eventlog%2Faudit.log

Regards,

Danny.

ROGER MCGUIRE · ‎06-18-2013

Thanks Danny, the reboot did it.

I see in the codec configuration that the external server audit logging function defaults to port 514. I assume that's UDP port 514 and is essentially a syslog type of thing? Is that correct?

Also, I've enabled internal audit logging on one of our codecs and I'm seeing tons of these messages (below). What is this? Is this the codec getting the status from the Intouch panel?

TY

Jun 18 11:00:48 (none) main: User (0) successfully executed command '/Message/Echo Text: InTouch' from .

Danny De Ridder · ‎06-18-2013

Those touch keepalives are indeed cluttering the logs.

Jun 18 20:02:35 (none) main: User (1001) successfully executed command '/Experimental/Peripherals/HeartBeat ID: 00:50:60:06:1E:55 Timeout: 30' from .

Jun 18 20:02:40 (none) main: User (1001) successfully executed command '/Experimental/Peripherals/HeartBeat ID: 00:50:60:06:1E:55 Timeout: 30' from .

Somebody should open an enhancement request to make these messages conditional.

The assumption about the UDP port 514 is incorrect. The syslog uses TCP.

See CSCts98937 - EX60/EX90 and C90/C60 unable to get Syslog working

That ddts is complaining about the fact that the syslog messages are sent using TCP and not UDP.

Is not changed to date, so the transport is still TCP.

ROGER MCGUIRE · ‎06-18-2013

Thanks Danny. I can't see that bug so it must not be public yet or something. But thanks for shaing the info, at least we know we should be looking for TCP, not UDP.

And yes, it would be great to set the level of audit logging like you can with most other syslog facilities. How would one open up an enhancement request? Also, do you know of anywhere to get the complete list of "audit" messages that can potentially be generated from the codec?

TY

Danny De Ridder · ‎06-18-2013

Hello,

I opened a new defect to avoid touch panel messages overwheling the audit logs.

CSCuh58528 - Touch panel heartbeat messages are overhelming the audit log

The type of messages logged are not really documented, at least, I am unaware of such a document. Maybe somebody else on the forum can comment.

The syslog level cannot be set to debug/warnings/informational/etc.

Some examples of messages are login attempt(s) and commands one executed.

Jun 18 21:15:28 (none) sshd[21037]: pam_unix(sshd:session): session opened for user root by (uid=0)

Jun 18 21:16:25 (none) main: User (0) successfully changed configuration '/SIP/ListenPort' to 'off' from sweet-brew-7.cisco.com.

Danny.

ROGER MCGUIRE · ‎06-18-2013

Thank you for doing that Danny. Much appreciated.

Thanks for your help today!

Sincerely, Roger