[cisco-voip] CCM Audit Log - MLA?

Ryan Ratliff rratliff at cisco.com
Fri Jan 5 16:02:04 EST 2007 

I wasn't around when CM was designed but I will point out that MLA  
has been around for quite a while.  Before 4.0 however you had to  
install it from the plugins page.

I have no idea of what is coming down the road as far as tracking  
changes via MLA, etc.  I'm not involved in those decisions and those  
that are probably like it that way.

The 5 or so TAC SRs I've worked in the past where we needed to track  
down a specific change made by someone the IIS logs have proved  
extremely useful so that's what I use.

Since you brought up the device unregistraions, transients, etc in  
the app log as something you don't find helpful there have been many  
hundreds of cases where I've had to use those to follow failovers,  
high cpu (did you know vg248 ports that aren't in the database try to  
register once per second...).

-Ryan

On Jan 5, 2007, at 3:13 PM, Simon, Bill wrote:

Frankly this is ridiculous.  My CCM Event Logs are filled with  
registrations, unregistrations, transient connection attempts, and  
things of similar importance.  Actually these are not very important  
at all.  But something HUGELY important - like the addition or  
removal of a route pattern - we have to grep through web server logs  
to find evidence of??  And even then all we can see is that a pattern  
was deleted - not what it actually was.

Heck, man, I'd be sending out SNMP traps, e-mail, sounding klaxons  
(well maybe not) if someone deleted a route pattern...

Seems to me that CallManager was designed for ONE operator/admin, and  
the idea that multiple people would be administering it was an  
afterthought.  (Well, MLA was only added in 4.x, right?)

Ryan Ratliff wrote:
> Actually if you take the time to decipher the IIS logs you can get  
> every bit of information possible in them.    Since you are using  
> MLA you will even have the MLA username as well as the source IP  
> address the request is coming from.  Here is me deleting a route  
> pattern from the search page on a 4.1(3) box.  Notice the very  
> searchable "method=..." part highlighted in red.
> 2007-01-05 19:46:07 14.48.39.100 rratliff (SQLSvc) 14.48.39.100 443  
> GET /CCMAdmin/_RemoteScripts/rs_system.asp  
> _method=deleteRoutePattern&_mtype=execute&pcount=2&p0=%7B030C6E22- 
> EEC8-4AEF-AC42-27932C469A00%7D&p1= 200 0 Mozilla/4.0+(Windows+2000 
> +5.0)+Java/1.4.2_05 -
> A quick test shows that no matter where you delete the route  
> pattern from (search page or directly on the route pattern page)  
> the GET request looks the same.
> Unfortunately the only way to identify which route pattern was  
> deleted is by the pkid (p0 in the GET request).   If you know the  
> approxmiate time though it should be easy enough to correlate  
> deletions.
> Once you have the IIS log entry you'll have the MLA username  
> (rratliff above), the source IP address (14.48.39.100) and from  
> there it's your call what to do with the info.  My vote is always  
> to blame the intern ;)
> -Ryan

More information about the cisco-voip mailing list