<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<STYLE type=text/css>DIV {
MARGIN: 0px
}
</STYLE>
<META content="MSHTML 6.00.2900.3020" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=475283615-07012007><FONT face=Arial
color=#0000ff size=2>Only if you have a backup file from prior to the
deletion. If it's a rar you can extract the sql backup, restore it on some
random sql server and go digging there.</FONT></SPAN></DIV>
<DIV> </DIV><!-- Converted from text/plain format -->
<P><FONT size=2>-Ryan </FONT></P>
<DIV> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Erick Bergquist [mailto:erickbe@yahoo.com]
<BR><B>Sent:</B> Friday, January 05, 2007 5:37 PM<BR><B>To:</B> Ryan
Ratliff<BR><B>Cc:</B> Simon, Bill; Lelio Fulgenzi; ciscovoip<BR><B>Subject:</B>
Re: [cisco-voip] CCM Audit Log - MLA?<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman,new york,times,serif">I had
done this on lab system earlier and got the text... the only problem is the pkid
value of object wouldn't probably be in database anymore after it was
deleted. I haven't dug further past the IIS logs but if it's deleted from
the database, then is there another way to track down what the pkid was?<BR><BR>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman,new york,times,serif">-----
Original Message ----<BR>From: Ryan Ratliff <rratliff@cisco.com><BR>To:
Erick Bergquist <erickbe@yahoo.com><BR>Cc: "Simon, Bill"
<bills@tns.its.psu.edu>; Lelio Fulgenzi <lelio@uoguelph.ca>;
ciscovoip <cisco-voip@puck.nether.net><BR>Sent: Friday, January 5, 2007
1:48:31 PM<BR>Subject: Re: [cisco-voip] CCM Audit Log - MLA?<BR><BR>Actually if
you take the time to decipher the IIS logs you can get every bit of information
possible in them. Since you are using MLA you will even have the
MLA username as well as the source IP address the request is coming
from.
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV>Here is me deleting a route pattern from the search page on a 4.1(3)
box. Notice the very searchable "method=..."
part highlighted in red.</DIV>
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV><SPAN class=Apple-style-span>2007-01-05 19:46:07 14.48.39.100 rratliff
(SQLSvc) 14.48.39.100 443 GET /CCMAdmin/_RemoteScripts/rs_system.asp
_method=<FONT class=Apple-style-span
color=#ff0000>deleteRoutePattern</FONT>&_mtype=execute&pcount=2&p0=%7B030C6E22-EEC8-4AEF-AC42-27932C469A00%7D&p1=
200 0 Mozilla/4.0+(Windows+2000+5.0)+Java/1.4.2_05 -</SPAN></DIV>
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV>A quick test shows that no matter where you delete the route pattern from
(search page or directly on the route pattern page) the GET request looks the
same.</DIV>
<DIV>Unfortunately the only way to identify which route pattern was deleted is
by the pkid (p0 in the GET request). If you know the approxmiate
time though it should be easy enough to correlate deletions.</DIV>
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV>Once you have the IIS log entry you'll have the MLA username (rratliff
above), the source IP address (14.48.39.100) and from there it's your call what
to do with the info. My vote is always to blame the intern ;)</DIV>
<DIV><BR>
<DIV>
<DIV>-Ryan</DIV></DIV><BR>
<DIV>
<DIV>On Jan 5, 2007, at 1:18 PM, Erick Bergquist wrote:</DIV><BR
class=Apple-interchange-newline>
<DIV>I thought about that to but I haven't used it yet, since it is a seperate
product from ccm. </DIV>
<DIV><BR></DIV>
<DIV>Between the MLA logs and the IIS logs, if they are available from the
times. and after spending time to comb through them, you can get a little bit of
a idea. Is a pain though. </DIV>
<DIV><BR></DIV>
<DIV>If someone has access to VPT, can you post what a sample log would like for
a change/deletion or view of a route pattern? </DIV>
<DIV><BR></DIV>
<DIV>----- Original Message ----</DIV>
<DIV>From: "Simon, Bill" <<A href="mailto:bills@tns.its.psu.edu"
target=_blank rel=nofollow>bills@tns.its.psu.edu</A>></DIV>
<DIV>To: Lelio Fulgenzi <<A href="mailto:lelio@uoguelph.ca" target=_blank
rel=nofollow>lelio@uoguelph.ca</A>></DIV>
<DIV>Cc: Robert Kulagowski <<A href="mailto:bob@smalltime.com" target=_blank
rel=nofollow>bob@smalltime.com</A>>; Erick Bergquist <<A
href="mailto:erickbe@yahoo.com" target=_blank
rel=nofollow>erickbe@yahoo.com</A>>; ciscovoip <<A
href="mailto:cisco-voip@puck.nether.net" target=_blank
rel=nofollow>cisco-voip@puck.nether.net</A>></DIV>
<DIV>Sent: Friday, January 5, 2007 10:29:31 AM</DIV>
<DIV>Subject: Re: [cisco-voip] CCM Audit Log - MLA?</DIV>
<DIV><BR></DIV>
<DIV>In the past I've been pointed to the Cisco Voice Provisioning Tool
which </DIV>
<DIV>supposedly audits everything:</DIV>
<DIV><BR></DIV>
<DIV><A
href="http://www.cisco.com/en/US/products/ps6524/products_data_sheet0900aecd80313abd.html"
target=_blank
rel=nofollow>http://www.cisco.com/en/US/products/ps6524/products_data_sheet0900aecd80313abd.html</A></DIV>
<DIV><BR></DIV>
<DIV>Haven't had the opportunity to evaluate it yet. We're not up to
4.0.5 </DIV>
<DIV>on Unity. (one of the minimum requirements)</DIV>
<DIV><BR></DIV>
<DIV><BR></DIV>
<DIV>Lelio Fulgenzi wrote:</DIV>
<BLOCKQUOTE type="cite">
<DIV>sorry, forgot to include that ArcanaNetworks promotes an
application </DIV>
<DIV>that creates a auditlog for you. i have yet to check it out, but
they </DIV>
<DIV>seem very co-operative.</DIV>
<DIV><BR></DIV>
<DIV><A href="http://www.arcananet.com/products/MeVoIP.asp" target=_blank
rel=nofollow>http://www.arcananet.com/products/MeVoIP.asp</A></DIV>
<DIV><BR></DIV>
<DIV>--------------------------------------------------------------------------------</DIV>
<DIV>Lelio Fulgenzi, B.A.</DIV>
<DIV>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G
2W1</DIV>
<DIV>(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)</DIV>
<DIV>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^</DIV>
<DIV>"I can eat fifty eggs." "Nobody can eat fifty eggs."</DIV>
<DIV><BR></DIV>
<DIV> ----- Original Message -----</DIV>
<DIV> *From:* Lelio Fulgenzi <<A
href="mailto:lelio@uoguelph.ca" target=_blank
rel=nofollow>mailto:lelio@uoguelph.ca</A>></DIV>
<DIV> *To:* Robert Kulagowski <<A
href="mailto:bob@smalltime.com" target=_blank
rel=nofollow>mailto:bob@smalltime.com</A>> ; Erick Bergquist</DIV>
<DIV> <<A href="mailto:erickbe@yahoo.com" target=_blank
rel=nofollow>mailto:erickbe@yahoo.com</A>></DIV>
<DIV> *Cc:* ciscovoip <<A
href="mailto:cisco-voip@puck.nether.net" target=_blank
rel=nofollow>mailto:cisco-voip@puck.nether.net</A>></DIV>
<DIV> *Sent:* Friday, January 05, 2007 11:16 AM</DIV>
<DIV> *Subject:* Re: [cisco-voip] CCM Audit Log - MLA?</DIV>
<DIV><BR></DIV>
<DIV> I believe even then, you don't get the granularity you
want. You</DIV>
<DIV> know who accessed a specific page, like the route pattern
page, but</DIV>
<DIV> that's it.</DIV>
<DIV><BR></DIV>
<DIV>
--------------------------------------------------------------------------------</DIV>
<DIV> Lelio Fulgenzi, B.A.</DIV>
<DIV> Senior Analyst (CCS) * University of Guelph * Guelph,
Ontario N1G 2W1</DIV>
<DIV> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)</DIV>
<DIV>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^</DIV>
<DIV> "I can eat fifty eggs." "Nobody can eat fifty eggs."</DIV>
<DIV><BR></DIV>
<DIV> ----- Original Message -----</DIV>
<DIV> *From:* Robert Kulagowski <<A
href="mailto:bob@smalltime.com" target=_blank
rel=nofollow>mailto:bob@smalltime.com</A>></DIV>
<DIV> *To:* Erick Bergquist <<A
href="mailto:erickbe@yahoo.com" target=_blank
rel=nofollow>mailto:erickbe@yahoo.com</A>></DIV>
<DIV> *Cc:* ciscovoip <<A
href="mailto:cisco-voip@puck.nether.net" target=_blank
rel=nofollow>mailto:cisco-voip@puck.nether.net</A>></DIV>
<DIV> *Sent:* Friday, January 05, 2007 11:13
AM</DIV>
<DIV> *Subject:* Re: [cisco-voip] CCM Audit Log -
MLA?</DIV>
<DIV><BR></DIV>
<DIV> Erick Bergquist wrote:</DIV>
<BLOCKQUOTE type="cite">
<DIV>Does anyone know if there is a way to get a full audit
log</DIV></BLOCKQUOTE>
<DIV> with MLA?</DIV>
<BLOCKQUOTE type="cite">
<DIV>It has log/trace files but they don't seem to log details of what</DIV>
<DIV>exactly was changed or viewed. Just the web page
accessed,</DIV></BLOCKQUOTE>
<DIV> and basic</DIV>
<BLOCKQUOTE type="cite">
<DIV>info, user id, etc. The dir log seems to get more detailed but</DIV>
<DIV>doesn't list the exact changes made by a user either.</DIV>
<DIV><BR></DIV>
<DIV>Have a client where someone had removed a particular
route</DIV></BLOCKQUOTE>
<DIV> pattern,</DIV>
<BLOCKQUOTE type="cite">
<DIV>and they are wanting to find out who and when the change
was</DIV></BLOCKQUOTE>
<DIV> made. It</DIV>
<BLOCKQUOTE type="cite">
<DIV>was done awhile back it seems.</DIV></BLOCKQUOTE>
<DIV><BR></DIV>
<DIV> I asked the same question; check the archives
for "MLA Command</DIV>
<DIV> History"</DIV>
<DIV> thread back in July / August.</DIV>
<DIV><BR></DIV>
<DIV> Basically, the answer is "sort of, and not
easily".</DIV></BLOCKQUOTE>
<DIV><BR></DIV>
<DIV><BR></DIV>
<DIV><BR></DIV>
<DIV><BR></DIV>
<DIV>__________________________________________________</DIV>
<DIV>Do You Yahoo!?</DIV>
<DIV>Tired of spam? Yahoo! Mail has the best spam protection
around </DIV>
<DIV><A href="http://mail.yahoo.com" target=_blank
rel=nofollow>http://mail.yahoo.com</A> </DIV>
<DIV><BR></DIV>
<DIV>_______________________________________________</DIV>
<DIV>cisco-voip mailing list</DIV>
<DIV><A href="mailto:cisco-voip@puck.nether.net" target=_blank
rel=nofollow>cisco-voip@puck.nether.net</A></DIV>
<DIV><A href="https://puck.nether.net/mailman/listinfo/cisco-voip" target=_blank
rel=nofollow>https://puck.nether.net/mailman/listinfo/cisco-voip</A></DIV></DIV><BR></DIV></DIV><BR></DIV></DIV><BR>__________________________________________________<BR>Do
You Yahoo!?<BR>Tired of spam? Yahoo! Mail has the best spam protection around
<BR>http://mail.yahoo.com </BODY></HTML>