[cisco-voip] R: A way to track admin changes in CUCM 6.x

Ahmed Elnagar ahmed_elnagar at rayacorp.com
Thu May 20 12:34:06 EDT 2010 

Mentioning  other products like billing and recording….anyone has a recommendation for them “specially call recording” we tried so many products at different customer site…and never had a product that really stable and satisfy all customer needs….any recommendations?

 

 Best Regards;

  Ahmed Elnagar

  Senior Network PS Engineer

  Mob: +2019-0016211

  CCIE#24697 (Voice)

   

 

From: Lelio Fulgenzi [mailto:lelio at uoguelph.ca] 
Sent: Thursday, May 20, 2010 6:33 PM
To: Ahmed Elnagar
Cc: cisco-voip at puck.nether.net; Ryan Ratliff
Subject: Re: [cisco-voip] R: A way to track admin changes in CUCM 6.x

 

I think this is also one of those things that Cisco will never fix because of the financial investment it's partners have put into it. Just like recording, paging, etc.

But still, 3rd party systems rely on system level settings to build groups and/or multi-level admin (or role based) solutions. For example, you want someone to admin a group of phones? They have to be in a separate device pool or partition or search space. What the system should have is either a user defined field(s) for each phone, or a specific field(s) assigned for multi-level admin. Administration rarely has anything to do with the operation of the phones, i.e. device pool. 

My 2cents. 

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it. 
                              - LFJ (with apologies to Mr. Popeil)


----- Original Message -----
From: "Ahmed Elnagar" <ahmed_elnagar at rayacorp.com>
To: "Ryan Ratliff" <rratliff at cisco.com>
Cc: cisco-voip at puck.nether.net
Sent: Thursday, May 20, 2010 11:29:08 AM GMT -05:00 US/Canada Eastern
Subject: Re: [cisco-voip] R: A way to track admin changes in CUCM 6.x

Actually this is a very old limitation in CallManager and a lot of customers are asking for a more detailed “easy to read” log.

 

 Best Regards;

  Ahmed Elnagar

  Senior Network PS Engineer

  Mob: +2019-0016211

  CCIE#24697 (Voice)

 

 

From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ryan Ratliff
Sent: Wednesday, May 19, 2010 11:07 PM
To: Jason Aarons (US)
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] R: A way to track admin changes in CUCM 6.x

 

Everything except HTTP posts are in the Tomcat access logs, it just takes a bit of investigative work to understand exactly what a given change looks like.  A GET request will contain info like pkids, etc but unfortunately a POST will just have the URL, not the parameters passed in the request.

 

For example I logged into CCMAdmin on my 7.1(3) server and deleted a phone (from the search page).

Here is the audit log (Audit0000000x.log) entry.

 

05/19/2010 15:53:54.936 |LogMessage   UserID :administrator  ClientAddress :172.18.251.29  Severity :5  EventType :GeneralConfigurationUpdate  ResourceAccessed:CUCMAdmin  EventStatus :Success  AuditDetails :record in table device, with key field name = SEPABCDABCDAADD deleted  ComponentID :Cisco CUCM Administration App ID:Cisco Tomcat Cluster ID: Node ID:rratliff-cm7|

 

Here is the Tomcat access log entry (localhost_access_log2010-05-19.txt):

[19/May/2010:15:53:55 -0400] 172.18.251.29 172.18.251.29 administrator - 8443 POST /ccmadmin/phoneFLDeleteSelected.do ?recCnt=9&colCnt=8 HTTP/1.1 200 96499 416

 

So you can see clearly here the audit log had more info than the access log.  Because phoneFLDeleteSelected.do was called we can see I deleted something, but not what.

 

Now I deleted a phone from the device page, not the search page.

 

Audit log:

05/19/2010 16:00:16.524 |LogMessage   UserID :administrator  ClientAddress :172.18.251.29  Severity :5  EventType :GeneralConfigurationUpdate  ResourceAccessed:CUCMAdmin  EventStatus :Success  AuditDetails : record in table device with key field name = ABCDABCDABCD deleted   ComponentID :Cisco CUCM Administration App ID:Cisco Tomcat Cluster ID: Node ID:rratliff-cm7|

 

Access log:

[19/May/2010:16:00:16 -0400] 172.18.251.29 172.18.251.29 administrator - 8443 POST /ccmadmin/phoneDelete.do  HTTP/1.1 200 73099 383

 

Again, nothing terribly useful in the access log other than I deleted some phone.  However if we look a few lines above we see this:

[19/May/2010:16:00:10 -0400] 172.18.251.29 172.18.251.29 administrator - 8443 GET /ccmadmin/gendeviceEdit.do ?key=fe651e23-fb2b-14d2-5a30-5843f9172658 HTTP/1.1 200 300148 958

 

This tells me that the same source IP, and same userid went into a phone's device page (gendeviceEdit.do) and the device had a pkid of fe651e23-fb2b-14d2-5a30-5843f9172658.

 

A quick peek into the ccm device table in a backup, or maybe even in the installdb log file from the last upgrade would let you tie that pkid to a device name.

 

-Ryan

 

On May 19, 2010, at 3:46 PM, Jason Aarons (US) wrote:

 

I had a customer use the CLI to query the database and show a line with a userid and what he changed. Since it wasn’t my userid or my teams I didn’t pay much attention.  But in short someone deleted a DN in production causing a outage and he was tracing it back. Turns out it was his teammate.    I haven’t used the Audi GUI view or recall what the CLI query was.

 

From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Matthew Saskin
Sent: Wednesday, May 19, 2010 12:17 PM
To: l.durso at gmail.com
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] R: A way to track admin changes in CUCM 6.x

 

The audit feature in 7x+ isn't all that useful.  It does not give you details on who made specific changes.

Matthew Saskin
msaskin at gmail.com
203-253-9571

July 18, 2010 - 1500m swim (in the hudson), 40k bike, 10k run
Please support the Leukemia & Lyphoma Society
http://pages.teamintraining.org/nyc/nyctri10/msaskin

On Wed, May 19, 2010 at 11:54 AM, Leonardo D'Urso <l.durso at gmail.com> wrote:

Hi Rob

I know this is the audit feature. It is supported since 7.x.

Ciao
Leonardo

---
Leonardo D'Urso
l.durso at gmail.com
Sent from my BlackBerry®


-----Original Message-----
From: "Leetun, Rob" <rleetun at bouldercounty.org>
Date: Wed, 19 May 2010 09:43:02
To: <cisco-voip at puck.nether.net>
Subject: [cisco-voip] A way to track admin changes in CUCM 6.x

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

 

 

________________________________

 

Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

 

 

Disclaimer: NOTICE The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Raya will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any malicious code or virus being passed on. Views expressed in this communication are not necessarily those of Raya.If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return and/or destroy the original message. 
_______________________________________________ cisco-voip mailing list cisco-voip at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip 

Disclaimer: NOTICE The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Raya will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any malicious code or virus being passed on. Views expressed in this communication are not necessarily those of Raya.If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return and/or destroy the original message. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20100520/5c2f851e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1801 bytes
Desc: image001.jpg
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20100520/5c2f851e/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1806 bytes
Desc: image002.jpg
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20100520/5c2f851e/attachment-0001.jpe>

More information about the cisco-voip mailing list