Re: CSA Logs

scheived · ‎10-13-2010

I keep seeing this in my logs, can anyone tell me what I can do to stop them?

At Tue Oct 12 10:01:14 CDT 2010 on node 10.220.1.12, the following SyslogSeverityMatchFound events generated:

SeverityMatch : Critical

MatchedEvent : Oct 12 10:01:02 CCMPUB local4 2 : 30426: CCMPUB: Oct 12 2010 10:01:02.954 -0500: %CSA-2-EVENT_ASVC_CONF_DENY: %[PID=4581][component=CiscoSecurityAgent] : The process '/bin/chown' (as user root(0) group root(0)) attempted to modify a Cisco Security Agent resource file /common/log/taos-log-b/syslog/csalog which is located in a Cisco directory. The operation was denied. [rule 287] AppID : Cisco Syslog Agent ClusterID :

NodeID : CCMPUB

TimeStamp : Tue Oct 12 10:01:03 CDT 2010

mmendezv · ‎10-21-2010

What is the CallManager version?

scheived · ‎10-21-2010

cm version 8.0.3.20000-2

mmendezv · ‎10-21-2010

Seems you are running into a known defect: 

CSCti45564 SyslogSeverityMatchFound Alarm Fires for CSA Owner change

Symptom:
Alarm is being triggered saying that there is a security issue when there is not.

Workaround:
Disable CSA from cli "utils csa disable" to avoid the blocking.

You can review this information using the Bug Toolkit

(http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl) and the defect ID: CSCti45564

scheived · ‎10-25-2010

Looks like the versions this bug is fixed in aren't available for download yet,

can't wait though. I'll update when they are.