Solved: Hi Velerie,Thank you for your

Shinnosuke Takeda · ‎10-04-2015

Dear all,

I'd like to collect user login/logout logs of CUCM(10.5.2) Admin Page, and send them to an external server.

In Serviceability Guide, audit logs include user logging event logs, and the setting fields have syslog destination("Server Name").

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/service/10_0_1/admin/CUCM_BK_CDDBCDEB_00_cisco-unified-servicability-merge-100/CUCM_BK_CDDBCDEB_00_cisco-unified-servicability-merge-100_chapter_0110.html#CUCM_TP_AE0C4B84_00

Can CUCM send audit logs to a syslog server?

(The guide says "This applies to IM and Presence Service only.". Does it mean that only IM/P can send audio logs to syslog sever?)

If yes, can CUCM send the audit log to multiple syslog server?

(I'm seeing about a redundancy of syslog servers.)

Regards,

Shinnosuke Takeda

valerie.kan · ‎10-14-2015

The settings is under Cisco Unified Serviceability -> Tools -> Audit Log Configuration.

you should be able to see a box where you can enter the Server Name for Remote Syslog under the Application Audit log Settings section.

Looks like you can only have one such server.

Here is a sample syslog message that I get when I deleted a phone from a CUCM in my lab.

<189>8103: Oct 14 2015 05:50:19 AM.484 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.110.1.2][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID=CUCM11PUB]: Audit Event is generated by this application

View solution in original post

Manish Gogna · ‎10-04-2015

Hi Shinnosuke,

You can use the Scheduled Trace Collection option from RTMT to send the selected logs to a specified destination

https://supportforums.cisco.com/document/31766/scheduled-trace-collection-rtmt-cucm-appliance-model

Manish

- Do rate helpful posts -

Shinnosuke Takeda · ‎10-06-2015

Hi Manish,

Thank you for your reply.

In "Action Options", I can select either "Download Files" or "Generate Syslog".

I understand that "Download Files" means the logs send to an external server via SFTP.

If I choose "Generate Syslog", what happen?

Audit logs are sent to an external syslog server?

valerie.kan · ‎10-14-2015

The settings is under Cisco Unified Serviceability -> Tools -> Audit Log Configuration.

you should be able to see a box where you can enter the Server Name for Remote Syslog under the Application Audit log Settings section.

Looks like you can only have one such server.

Here is a sample syslog message that I get when I deleted a phone from a CUCM in my lab.

<189>8103: Oct 14 2015 05:50:19 AM.484 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.110.1.2][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID=CUCM11PUB]: Audit Event is generated by this application

Shinnosuke Takeda · ‎10-14-2015

Hi Velerie,

Thank you for your reply.

I understand how to send audio logs to a syslog sever.

Regard,

Shinnosuke Takeda

CUCM/CUC Audit Log to Syslog