[cisco-voip] CCM Audit Log - MLA?

Ryan Ratliff rratliff at cisco.com
Sun Jan 7 10:37:09 EST 2007 

Only if you have a backup file from prior to the deletion.  If it's a rar
you can extract the sql backup, restore it on some random sql server and go
digging there.
 

-Ryan 

 

  _____  

From: Erick Bergquist [mailto:erickbe at yahoo.com] 
Sent: Friday, January 05, 2007 5:37 PM
To: Ryan Ratliff
Cc: Simon, Bill; Lelio Fulgenzi; ciscovoip
Subject: Re: [cisco-voip] CCM Audit Log - MLA?


I had done this on lab system earlier and got the text... the only problem
is the pkid value of object wouldn't probably be in database anymore after
it was deleted.  I haven't dug further past the IIS logs but if it's deleted
from the database, then is there another way to track down what the pkid
was?


----- Original Message ----
From: Ryan Ratliff <rratliff at cisco.com>
To: Erick Bergquist <erickbe at yahoo.com>
Cc: "Simon, Bill" <bills at tns.its.psu.edu>; Lelio Fulgenzi
<lelio at uoguelph.ca>; ciscovoip <cisco-voip at puck.nether.net>
Sent: Friday, January 5, 2007 1:48:31 PM
Subject: Re: [cisco-voip] CCM Audit Log - MLA?

Actually if you take the time to decipher the IIS logs you can get every bit
of information possible in them.    Since you are using MLA you will even
have the MLA username as well as the source IP address the request is coming
from.   

Here is me deleting a route pattern from the search page on a 4.1(3) box.
Notice the very searchable "method=..." part highlighted in red.

2007-01-05 19:46:07 14.48.39.100 rratliff (SQLSvc) 14.48.39.100 443 GET
/CCMAdmin/_RemoteScripts/rs_system.asp
_method=deleteRoutePattern&_mtype=execute&pcount=2&p0=%7B030C6E22-EEC8-4AEF-
AC42-27932C469A00%7D&p1= 200 0 Mozilla/4.0+(Windows+2000+5.0)+Java/1.4.2_05
-

A quick test shows that no matter where you delete the route pattern from
(search page or directly on the route pattern page) the GET request looks
the same.
Unfortunately the only way to identify which route pattern was deleted is by
the pkid (p0 in the GET request).   If you know the approxmiate time though
it should be easy enough to correlate deletions.

Once you have the IIS log entry you'll have the MLA username (rratliff
above), the source IP address (14.48.39.100) and from there it's your call
what to do with the info.  My vote is always to blame the intern ;)

-Ryan

On Jan 5, 2007, at 1:18 PM, Erick Bergquist wrote:

I thought about that to but I haven't used it yet, since it is a seperate
product from ccm. 

Between the MLA logs and the IIS logs, if they are available from the times.
and after spending time to comb through them, you can get a little bit of a
idea. Is a pain though. 

If someone has access to VPT, can you post what a sample log would like for
a change/deletion or view of a route pattern? 

----- Original Message ----
From: "Simon, Bill" <bills at tns.its.psu.edu>
To: Lelio Fulgenzi <lelio at uoguelph.ca>
Cc: Robert Kulagowski <bob at smalltime.com>; Erick Bergquist
<erickbe at yahoo.com>; ciscovoip <cisco-voip at puck.nether.net>
Sent: Friday, January 5, 2007 10:29:31 AM
Subject: Re: [cisco-voip] CCM Audit Log - MLA?

In the past I've been pointed to the Cisco Voice Provisioning Tool which 
supposedly audits everything:

http://www.cisco.com/en/US/products/ps6524/products_data_sheet0900aecd80313a
bd.html

Haven't had the opportunity to evaluate it yet.  We're not up to 4.0.5 
on Unity.  (one of the minimum requirements)


Lelio Fulgenzi wrote:

sorry, forgot to include that ArcanaNetworks promotes an application 
that creates a auditlog for you. i have yet to check it out, but they 
seem very co-operative.

http://www.arcananet.com/products/MeVoIP.asp

----------------------------------------------------------------------------
----
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"I can eat fifty eggs." "Nobody can eat fifty eggs."

    ----- Original Message -----
    *From:* Lelio Fulgenzi <mailto:lelio at uoguelph.ca>
    *To:* Robert Kulagowski <mailto:bob at smalltime.com> ; Erick Bergquist
    <mailto:erickbe at yahoo.com>
    *Cc:* ciscovoip <mailto:cisco-voip at puck.nether.net>
    *Sent:* Friday, January 05, 2007 11:16 AM
    *Subject:* Re: [cisco-voip] CCM Audit Log - MLA?

    I believe even then, you don't get the granularity you want. You
    know who accessed a specific page, like the route pattern page, but
    that's it.

 
----------------------------------------------------------------------------
----
    Lelio Fulgenzi, B.A.
    Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
    (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    "I can eat fifty eggs." "Nobody can eat fifty eggs."

        ----- Original Message -----
        *From:* Robert Kulagowski <mailto:bob at smalltime.com>
        *To:* Erick Bergquist <mailto:erickbe at yahoo.com>
        *Cc:* ciscovoip <mailto:cisco-voip at puck.nether.net>
        *Sent:* Friday, January 05, 2007 11:13 AM
        *Subject:* Re: [cisco-voip] CCM Audit Log - MLA?

        Erick Bergquist wrote:

Does anyone know if there is a way to get a full audit log

        with MLA?

It has log/trace files but they don't seem to log details of what
exactly was changed or viewed. Just the web page accessed,

        and basic

info, user id, etc. The dir log seems to get more detailed but
doesn't list the exact changes made by a user either.

Have a client where someone had removed a particular route

        pattern,

and they are wanting to find out who and when the change was

        made. It

was done awhile back it seems.


        I asked the same question; check the archives for "MLA Command
        History"
        thread back in July / August.

        Basically, the answer is "sort of, and not easily".





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip



__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20070107/c9dd70b2/attachment.html

More information about the cisco-voip mailing list