How to retrieve Webex authentication logs - no control center

erase startup reload · ‎03-25-2025

Hello!

We have a theory but are looking for a smoking gun. Two users are constantly being locked out. We determined that the attempts are coming from a CUCM server to the domain controller. I've checked and neither users webex phone is registered in CUCM.

I do not have access to RTMT, I cannot install it.

Is there a way to find authentication logs and prove that it's their webex phone trying to log in with old credentials?

I've got CLI access to CUCM nodes. I found this link (https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/211351-Collect-Communication-Manager-Logs-via-t.html) but I'm not sure which file would hold our authentication logs.

Any recommendations to help prove (or disprove) it's webex authentication attempts?
I recommended they just sign into the phone already and see if they continue to get locked out. I don't think that recommendation is going to happen until we prove to them "look, this is your phone, you need to do this or uninstall it."

Brad Magnani · ‎03-25-2025

If you're asking about which logs you'll need to look at CUCM's LDAP authentication requests, you'll want to gather the logs below that contain authentication failure attempts:

Cisco DirSync
Cisco Tomcat
Cisco Tomcat Security
EventViewer-Application Logs
EventViewer-System Logs

Then you can search those for the LDAP aliases for the users that are supposedly being re-attempted and see what they may show.

Roger Kallberg · ‎03-26-2025

Not a reply to your question but why can’t you install RTMT? If you provide a little more context we may be able to help you out with the challenge you’re facing.