[cisco-voip] CCM Audit Log - MLA?

Lelio Fulgenzi lelio at uoguelph.ca
Fri Jan 5 14:58:25 EST 2007 

'take the time' is the key here. the lack of the actual route pattern change hurts too. i'd rather say, show me all the changes done by this user at this time or show me all changes from here to here.

as we begin to get users logging on to CCMuser pages, it will be more important for us to troubleshoot mistakes they make to their own phone setup.

i hope a robust audit tool is somewhere down the line in CCM.
--------------------------------------------------------------------------------
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
"I can eat fifty eggs." "Nobody can eat fifty eggs."
  ----- Original Message ----- 
  From: Ryan Ratliff 
  To: Erick Bergquist 
  Cc: Simon, Bill ; Lelio Fulgenzi ; ciscovoip 
  Sent: Friday, January 05, 2007 2:48 PM
  Subject: Re: [cisco-voip] CCM Audit Log - MLA?


  Actually if you take the time to decipher the IIS logs you can get every bit of information possible in them.    Since you are using MLA you will even have the MLA username as well as the source IP address the request is coming from.  


  Here is me deleting a route pattern from the search page on a 4.1(3) box.  Notice the very searchable "method=..." part highlighted in red.


  2007-01-05 19:46:07 14.48.39.100 rratliff (SQLSvc) 14.48.39.100 443 GET /CCMAdmin/_RemoteScripts/rs_system.asp _method=deleteRoutePattern&_mtype=execute&pcount=2&p0=%7B030C6E22-EEC8-4AEF-AC42-27932C469A00%7D&p1= 200 0 Mozilla/4.0+(Windows+2000+5.0)+Java/1.4.2_05 -


  A quick test shows that no matter where you delete the route pattern from (search page or directly on the route pattern page) the GET request looks the same.
  Unfortunately the only way to identify which route pattern was deleted is by the pkid (p0 in the GET request).   If you know the approxmiate time though it should be easy enough to correlate deletions.


  Once you have the IIS log entry you'll have the MLA username (rratliff above), the source IP address (14.48.39.100) and from there it's your call what to do with the info.  My vote is always to blame the intern ;)


  -Ryan


  On Jan 5, 2007, at 1:18 PM, Erick Bergquist wrote:


  I thought about that to but I haven't used it yet, since it is a seperate product from ccm. 


  Between the MLA logs and the IIS logs, if they are available from the times. and after spending time to comb through them, you can get a little bit of a idea. Is a pain though. 


  If someone has access to VPT, can you post what a sample log would like for a change/deletion or view of a route pattern? 


  ----- Original Message ----
  From: "Simon, Bill" <bills at tns.its.psu.edu>
  To: Lelio Fulgenzi <lelio at uoguelph.ca>
  Cc: Robert Kulagowski <bob at smalltime.com>; Erick Bergquist <erickbe at yahoo.com>; ciscovoip <cisco-voip at puck.nether.net>
  Sent: Friday, January 5, 2007 10:29:31 AM
  Subject: Re: [cisco-voip] CCM Audit Log - MLA?


  In the past I've been pointed to the Cisco Voice Provisioning Tool which 
  supposedly audits everything:


  http://www.cisco.com/en/US/products/ps6524/products_data_sheet0900aecd80313abd.html


  Haven't had the opportunity to evaluate it yet.  We're not up to 4.0.5 
  on Unity.  (one of the minimum requirements)




  Lelio Fulgenzi wrote:
    sorry, forgot to include that ArcanaNetworks promotes an application 
    that creates a auditlog for you. i have yet to check it out, but they 
    seem very co-operative.


    http://www.arcananet.com/products/MeVoIP.asp


    --------------------------------------------------------------------------------
    Lelio Fulgenzi, B.A.
    Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
    (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    "I can eat fifty eggs." "Nobody can eat fifty eggs."


        ----- Original Message -----
        *From:* Lelio Fulgenzi <mailto:lelio at uoguelph.ca>
        *To:* Robert Kulagowski <mailto:bob at smalltime.com> ; Erick Bergquist
        <mailto:erickbe at yahoo.com>
        *Cc:* ciscovoip <mailto:cisco-voip at puck.nether.net>
        *Sent:* Friday, January 05, 2007 11:16 AM
        *Subject:* Re: [cisco-voip] CCM Audit Log - MLA?


        I believe even then, you don't get the granularity you want. You
        know who accessed a specific page, like the route pattern page, but
        that's it.


        --------------------------------------------------------------------------------
        Lelio Fulgenzi, B.A.
        Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
        (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        "I can eat fifty eggs." "Nobody can eat fifty eggs."


            ----- Original Message -----
            *From:* Robert Kulagowski <mailto:bob at smalltime.com>
            *To:* Erick Bergquist <mailto:erickbe at yahoo.com>
            *Cc:* ciscovoip <mailto:cisco-voip at puck.nether.net>
            *Sent:* Friday, January 05, 2007 11:13 AM
            *Subject:* Re: [cisco-voip] CCM Audit Log - MLA?


            Erick Bergquist wrote:
      Does anyone know if there is a way to get a full audit log
            with MLA?
      It has log/trace files but they don't seem to log details of what
      exactly was changed or viewed. Just the web page accessed,
            and basic
      info, user id, etc. The dir log seems to get more detailed but
      doesn't list the exact changes made by a user either.


      Have a client where someone had removed a particular route
            pattern,
      and they are wanting to find out who and when the change was
            made. It
      was done awhile back it seems.


            I asked the same question; check the archives for "MLA Command
            History"
            thread back in July / August.


            Basically, the answer is "sort of, and not easily".








  __________________________________________________
  Do You Yahoo!?
  Tired of spam?  Yahoo! Mail has the best spam protection around 
  http://mail.yahoo.com 


  _______________________________________________
  cisco-voip mailing list
  cisco-voip at puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20070105/ceaf6035/attachment.html

More information about the cisco-voip mailing list