You can capture the CUPS Audit logs. The login information will be shown as below ( example )
08:29:12.131 |Message Received LogMessage UserID : abcd ClientAddress
: 192.168.11.2 Severity : 6 EventType : UserLogging ResourceAccessed:
CUPCPA EventStatus : Success CompulsoryEvent : No AuditCategory :
AdministrativeEvent ComponentID : Cisco UP Client Profile Agent
AuditDetails : User login was successful. App ID: Cisco Tomcat Cluster ID:
Node ID: CUPS222.
Manish, I have an old version of CUPS (8.6.4). My log looks like this. Is this the same thing?
17:19:14.041 |LogMessage UserID : email@example.com/jabber_29783 ClientAddress : 10.0.12.64 Severity : 5 EventType : UserSessionCreation ResourceAccessed: JSM EventStatus : Success AuditDetails : User Session Created ComponentID : XCP Router CompulsoryEvent : No AuditCategory : UserEvent App ID: Cisco UP XCP Router Cluster ID: StandAloneClustera61ef Node ID: irvcups1
I also notice some of these events say "UserID : firstname.lastname@example.org/composed ClientAddress : unknown". What are those? They don't seem to be normal Jabber logins.
Based on the following
EventType : UserSessionCreation ResourceAccessed: JSM EventStatus : Success AuditDetails : User Session Created ComponentID : XCP Router
If Application Auditing is enabled on Cisco Unified Presence, an audit log is written when a user's JSM Session is created. This can occur when a user logs in a client to Cisco Unified Presence.
I am not too sure about your second question though, will look into it if i get later if i get some time.