[cisco-voip] CCM Audit Log - MLA?

Ryan Ratliff rratliff at cisco.com
Fri Jan 5 14:48:31 EST 2007 

Actually if you take the time to decipher the IIS logs you can get  
every bit of information possible in them.    Since you are using MLA  
you will even have the MLA username as well as the source IP address  
the request is coming from.

Here is me deleting a route pattern from the search page on a 4.1(3)  
box.  Notice the very searchable "method=..." part highlighted in red.

2007-01-05 19:46:07 14.48.39.100 rratliff (SQLSvc) 14.48.39.100 443  
GET /CCMAdmin/_RemoteScripts/rs_system.asp  
_method=deleteRoutePattern&_mtype=execute&pcount=2&p0=%7B030C6E22- 
EEC8-4AEF-AC42-27932C469A00%7D&p1= 200 0 Mozilla/4.0+(Windows+2000 
+5.0)+Java/1.4.2_05 -

A quick test shows that no matter where you delete the route pattern  
from (search page or directly on the route pattern page) the GET  
request looks the same.
Unfortunately the only way to identify which route pattern was  
deleted is by the pkid (p0 in the GET request).   If you know the  
approxmiate time though it should be easy enough to correlate deletions.

Once you have the IIS log entry you'll have the MLA username  
(rratliff above), the source IP address (14.48.39.100) and from there  
it's your call what to do with the info.  My vote is always to blame  
the intern ;)

-Ryan

On Jan 5, 2007, at 1:18 PM, Erick Bergquist wrote:

I thought about that to but I haven't used it yet, since it is a  
seperate product from ccm.

Between the MLA logs and the IIS logs, if they are available from the  
times. and after spending time to comb through them, you can get a  
little bit of a idea. Is a pain though.

If someone has access to VPT, can you post what a sample log would  
like for a change/deletion or view of a route pattern?

----- Original Message ----
From: "Simon, Bill" <bills at tns.its.psu.edu>
To: Lelio Fulgenzi <lelio at uoguelph.ca>
Cc: Robert Kulagowski <bob at smalltime.com>; Erick Bergquist  
<erickbe at yahoo.com>; ciscovoip <cisco-voip at puck.nether.net>
Sent: Friday, January 5, 2007 10:29:31 AM
Subject: Re: [cisco-voip] CCM Audit Log - MLA?

In the past I've been pointed to the Cisco Voice Provisioning Tool which
supposedly audits everything:

http://www.cisco.com/en/US/products/ps6524/ 
products_data_sheet0900aecd80313abd.html

Haven't had the opportunity to evaluate it yet.  We're not up to 4.0.5
on Unity.  (one of the minimum requirements)


Lelio Fulgenzi wrote:
> sorry, forgot to include that ArcanaNetworks promotes an application
> that creates a auditlog for you. i have yet to check it out, but they
> seem very co-operative.
>
> http://www.arcananet.com/products/MeVoIP.asp
>
> ---------------------------------------------------------------------- 
> ----------
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "I can eat fifty eggs." "Nobody can eat fifty eggs."
>
>     ----- Original Message -----
>     *From:* Lelio Fulgenzi <mailto:lelio at uoguelph.ca>
>     *To:* Robert Kulagowski <mailto:bob at smalltime.com> ; Erick  
> Bergquist
>     <mailto:erickbe at yahoo.com>
>     *Cc:* ciscovoip <mailto:cisco-voip at puck.nether.net>
>     *Sent:* Friday, January 05, 2007 11:16 AM
>     *Subject:* Re: [cisco-voip] CCM Audit Log - MLA?
>
>     I believe even then, you don't get the granularity you want. You
>     know who accessed a specific page, like the route pattern page,  
> but
>     that's it.
>
>      
> ---------------------------------------------------------------------- 
> ----------
>     Lelio Fulgenzi, B.A.
>     Senior Analyst (CCS) * University of Guelph * Guelph, Ontario  
> N1G 2W1
>     (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
>      
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     "I can eat fifty eggs." "Nobody can eat fifty eggs."
>
>         ----- Original Message -----
>         *From:* Robert Kulagowski <mailto:bob at smalltime.com>
>         *To:* Erick Bergquist <mailto:erickbe at yahoo.com>
>         *Cc:* ciscovoip <mailto:cisco-voip at puck.nether.net>
>         *Sent:* Friday, January 05, 2007 11:13 AM
>         *Subject:* Re: [cisco-voip] CCM Audit Log - MLA?
>
>         Erick Bergquist wrote:
>> Does anyone know if there is a way to get a full audit log
>         with MLA?
>> It has log/trace files but they don't seem to log details of what
>> exactly was changed or viewed. Just the web page accessed,
>         and basic
>> info, user id, etc. The dir log seems to get more detailed but
>> doesn't list the exact changes made by a user either.
>>
>> Have a client where someone had removed a particular route
>         pattern,
>> and they are wanting to find out who and when the change was
>         made. It
>> was done awhile back it seems.
>
>         I asked the same question; check the archives for "MLA Command
>         History"
>         thread back in July / August.
>
>         Basically, the answer is "sort of, and not easily".




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20070105/3015b79c/attachment-0001.html

More information about the cisco-voip mailing list