<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Everything except HTTP posts are in the Tomcat access logs, it just takes a bit of investigative work to understand exactly what a given change looks like. A GET request will contain info like pkids, etc but unfortunately a POST will just have the URL, not the parameters passed in the request.<div><br></div><div>For example I logged into CCMAdmin on my 7.1(3) server and deleted a phone (from the search page).</div><div>Here is the audit log (Audit0000000x.log) entry.</div><div><br></div><div>05/19/2010 15:53:54.936 |LogMessage UserID :administrator ClientAddress :172.18.251.29 Severity :5 EventType :GeneralConfigurationUpdate ResourceAccessed:CUCMAdmin EventStatus :Success AuditDetails :record in table device, with key field name = SEPABCDABCDAADD deleted ComponentID :Cisco CUCM Administration App ID:Cisco Tomcat Cluster ID: Node ID:rratliff-cm7|</div><div><br></div><div>Here is the Tomcat access log entry (localhost_access_log2010-05-19.txt):</div><div>[19/May/2010:15:53:55 -0400] 172.18.251.29 172.18.251.29 administrator - 8443 POST /ccmadmin/phoneFLDeleteSelected.do ?recCnt=9&colCnt=8 HTTP/1.1 200 96499 416<br><div><div><br class="webkit-block-placeholder"></div><div>So you can see clearly here the audit log had more info than the access log. Because phoneFLDeleteSelected.do was called we can see I deleted something, but not what.</div><div><br></div><div>Now I deleted a phone from the device page, not the search page.</div><div><br></div><div>Audit log:</div><div>05/19/2010 16:00:16.524 |LogMessage UserID :administrator ClientAddress :172.18.251.29 Severity :5 EventType :GeneralConfigurationUpdate ResourceAccessed:CUCMAdmin EventStatus :Success AuditDetails : record in table device with key field name = ABCDABCDABCD deleted ComponentID :Cisco CUCM Administration App ID:Cisco Tomcat Cluster ID: Node ID:rratliff-cm7|</div><div><br></div><div>Access log:</div><div>[19/May/2010:16:00:16 -0400] 172.18.251.29 172.18.251.29 administrator - 8443 POST /ccmadmin/phoneDelete.do HTTP/1.1 200 73099 383</div><div><br></div><div>Again, nothing terribly useful in the access log other than I deleted some phone. However if we look a few lines above we see this:</div><div>[19/May/2010:16:00:10 -0400] 172.18.251.29 172.18.251.29 administrator - 8443 GET /ccmadmin/gendeviceEdit.do ?key=fe651e23-fb2b-14d2-5a30-5843f9172658 HTTP/1.1 200 300148 958</div><div><br></div><div>This tells me that the same source IP, and same userid went into a phone's device page (gendeviceEdit.do) and the device had a pkid of fe651e23-fb2b-14d2-5a30-5843f9172658.</div><div><br></div><div>A quick peek into the ccm device table in a backup, or maybe even in the installdb log file from the last upgrade would let you tie that pkid to a device name.</div><div><br></div><div>
<div>-Ryan</div>
</div>
<br><div><div>On May 19, 2010, at 3:46 PM, Jason Aarons (US) wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple"><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I had a customer use the CLI to query the database and show a line with a userid and what he changed. Since it wasn’t my userid or my teams I didn’t pay much attention. But in short someone deleted a DN in production causing a outage and he was tracing it back. Turns out it was his teammate. I haven’t used the Audi GUI view or recall what the CLI query was.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; "><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:cisco-voip-bounces@puck.nether.net" style="color: blue; text-decoration: underline; ">cisco-voip-bounces@puck.nether.net</a><span class="Apple-converted-space"> </span>[mailto:cisco-voip-bounces@puck.nether.net]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Matthew Saskin<br><b>Sent:</b><span class="Apple-converted-space"> </span>Wednesday, May 19, 2010 12:17 PM<br><b>To:</b><span class="Apple-converted-space"> </span><a href="mailto:l.durso@gmail.com" style="color: blue; text-decoration: underline; ">l.durso@gmail.com</a><br><b>Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:cisco-voip@puck.nether.net" style="color: blue; text-decoration: underline; ">cisco-voip@puck.nether.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [cisco-voip] R: A way to track admin changes in CUCM 6.x<o:p></o:p></span></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">The audit feature in 7x+ isn't all that useful. It does not give you details on who made specific changes.<br><br clear="all">Matthew Saskin<br><a href="mailto:msaskin@gmail.com" style="color: blue; text-decoration: underline; ">msaskin@gmail.com</a><br>203-253-9571<br><br>July 18, 2010 - 1500m swim (in the hudson), 40k bike, 10k run<br>Please support the Leukemia & Lyphoma Society<br><a href="http://pages.teamintraining.org/nyc/nyctri10/msaskin" style="color: blue; text-decoration: underline; ">http://pages.teamintraining.org/nyc/nyctri10/msaskin</a><br><br><o:p></o:p></p><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Wed, May 19, 2010 at 11:54 AM, Leonardo D'Urso <<a href="mailto:l.durso@gmail.com" style="color: blue; text-decoration: underline; ">l.durso@gmail.com</a>> wrote:<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Hi Rob<br><br>I know this is the audit feature. It is supported since 7.x.<br><br>Ciao<br>Leonardo<br><br>---<br><span style="color: rgb(136, 136, 136); ">Leonardo D'Urso<br><a href="mailto:l.durso@gmail.com" style="color: blue; text-decoration: underline; ">l.durso@gmail.com</a><br>Sent from my BlackBerry®</span><o:p></o:p></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>-----Original Message-----<br>From: "Leetun, Rob" <<a href="mailto:rleetun@bouldercounty.org" style="color: blue; text-decoration: underline; ">rleetun@bouldercounty.org</a>><br>Date: Wed, 19 May 2010 09:43:02<br>To: <<a href="mailto:cisco-voip@puck.nether.net" style="color: blue; text-decoration: underline; ">cisco-voip@puck.nether.net</a>><br>Subject: [cisco-voip] A way to track admin changes in CUCM 6.x<br><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" style="color: blue; text-decoration: underline; ">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank" style="color: blue; text-decoration: underline; ">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br><br><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" style="color: blue; text-decoration: underline; ">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank" style="color: blue; text-decoration: underline; ">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></div></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><br class="webkit-block-placeholder"></div><hr size="1"><div><br class="webkit-block-placeholder"></div><p><strong>Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.</strong></p>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" style="color: blue; text-decoration: underline; ">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" style="color: blue; text-decoration: underline; ">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></div></blockquote></div><br></div></div></body></html>