[cisco-voip] CCM Audit Log - MLA?

Lelio Fulgenzi lelio at uoguelph.ca
Fri Jan 5 15:44:27 EST 2007 

I know there are PERS and the CIPTUG FAC tool, but are there product managers that are listening in on this mailing list? Would it be at all beneficial for us to run completely unscientific polls to substantiate some of our claims? Could this be brought forward to anyone of importance?

--------------------------------------------------------------------------------
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
"I can eat fifty eggs." "Nobody can eat fifty eggs."
  ----- Original Message ----- 
  From: Simon, Bill 
  To: Ryan Ratliff 
  Cc: Erick Bergquist ; Lelio Fulgenzi ; ciscovoip 
  Sent: Friday, January 05, 2007 3:13 PM
  Subject: Re: [cisco-voip] CCM Audit Log - MLA?


  Frankly this is ridiculous.  My CCM Event Logs are filled with 
  registrations, unregistrations, transient connection attempts, and 
  things of similar importance.  Actually these are not very important at 
  all.  But something HUGELY important - like the addition or removal of a 
  route pattern - we have to grep through web server logs to find evidence 
  of??  And even then all we can see is that a pattern was deleted - not 
  what it actually was.

  Heck, man, I'd be sending out SNMP traps, e-mail, sounding klaxons (well 
  maybe not) if someone deleted a route pattern...

  Seems to me that CallManager was designed for ONE operator/admin, and 
  the idea that multiple people would be administering it was an 
  afterthought.  (Well, MLA was only added in 4.x, right?)

  Ryan Ratliff wrote:
  > Actually if you take the time to decipher the IIS logs you can get every 
  > bit of information possible in them.    Since you are using MLA you will 
  > even have the MLA username as well as the source IP address the request 
  > is coming from.  
  > 
  > Here is me deleting a route pattern from the search page on a 4.1(3) 
  > box.  Notice the very searchable "method=..." part highlighted in red.
  > 
  > 2007-01-05 19:46:07 14.48.39.100 rratliff (SQLSvc) 14.48.39.100 443 GET 
  > /CCMAdmin/_RemoteScripts/rs_system.asp 
  > _method=deleteRoutePattern&_mtype=execute&pcount=2&p0=%7B030C6E22-EEC8-4AEF-AC42-27932C469A00%7D&p1= 
  > 200 0 Mozilla/4.0+(Windows+2000+5.0)+Java/1.4.2_05 -
  > 
  > A quick test shows that no matter where you delete the route pattern 
  > from (search page or directly on the route pattern page) the GET request 
  > looks the same.
  > Unfortunately the only way to identify which route pattern was deleted 
  > is by the pkid (p0 in the GET request).   If you know the approxmiate 
  > time though it should be easy enough to correlate deletions.
  > 
  > Once you have the IIS log entry you'll have the MLA username (rratliff 
  > above), the source IP address (14.48.39.100) and from there it's your 
  > call what to do with the info.  My vote is always to blame the intern ;)
  > 
  > -Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20070105/2997392f/attachment.html

More information about the cisco-voip mailing list