<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Actually this is a very old limitation in CallManager and a lot
of customers are asking for a more detailed “easy to read” log.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div>
<p class=MsoNormal style='background:white'><span style='font-size:10.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'> </span><span
style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best
Regards;<o:p></o:p></span></p>
<p class=MsoNormal style='background:white'><span style='font-size:10.5pt;
font-family:"Calibri","sans-serif";color:#1F497D'> Ahmed Elnagar<o:p></o:p></span></p>
<p class=MsoNormal style='background:white'><span style='font-size:10.5pt;
font-family:"Calibri","sans-serif";color:#1F497D'> Senior Network PS
Engineer<o:p></o:p></span></p>
<p class=MsoNormal style='background:white'><span style='font-size:10.5pt;
font-family:"Calibri","sans-serif";color:#1F497D'> Mob: +2019-0016211<o:p></o:p></span></p>
<p class=MsoNormal style='background:white'><span style='font-size:10.5pt;
font-family:"Calibri","sans-serif";color:#1F497D'> CCIE#24697 (Voice)<o:p></o:p></span></p>
<p class=MsoNormal style='background:white'><span style='font-size:10.5pt;
font-family:"Calibri","sans-serif";color:#1F497D'> <img width=63
height=63 id="Picture_x0020_0" src="cid:image001.jpg@01CAF84A.55A3FFC0"
alt="ccie_voice_large.gif"><img width=63 height=63 id="Picture_x0020_1"
src="cid:image002.jpg@01CAF84A.55A3FFC0" alt="ccvp_voice_large.gif"><o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b>On
Behalf Of </b>Ryan Ratliff<br>
<b>Sent:</b> Wednesday, May 19, 2010 11:07 PM<br>
<b>To:</b> Jason Aarons (US)<br>
<b>Cc:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] R: A way to track admin changes in CUCM 6.x<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Everything except HTTP posts are in the Tomcat access logs,
it just takes a bit of investigative work to understand exactly what a given
change looks like. A GET request will contain info like pkids, etc but
unfortunately a POST will just have the URL, not the parameters passed in the
request.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>For example I logged into CCMAdmin on my 7.1(3) server and
deleted a phone (from the search page).<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Here is the audit log (Audit0000000x.log) entry.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>05/19/2010 15:53:54.936 |LogMessage UserID
:administrator ClientAddress :172.18.251.29 Severity :5
EventType :GeneralConfigurationUpdate ResourceAccessed:CUCMAdmin
EventStatus :Success AuditDetails :record in table device, with key
field name = SEPABCDABCDAADD deleted ComponentID :Cisco CUCM
Administration App ID:Cisco Tomcat Cluster ID: Node ID:rratliff-cm7|<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Here is the Tomcat access log entry
(localhost_access_log2010-05-19.txt):<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>[19/May/2010:15:53:55 -0400] 172.18.251.29 172.18.251.29
administrator - 8443 POST /ccmadmin/phoneFLDeleteSelected.do ?recCnt=9&colCnt=8
HTTP/1.1 200 96499 416<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>So you can see clearly here the audit log had more info than
the access log. Because phoneFLDeleteSelected.do was called we can see I
deleted something, but not what.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Now I deleted a phone from the device page, not the search
page.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Audit log:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>05/19/2010 16:00:16.524 |LogMessage UserID
:administrator ClientAddress :172.18.251.29 Severity :5
EventType :GeneralConfigurationUpdate ResourceAccessed:CUCMAdmin
EventStatus :Success AuditDetails : record in table device with key
field name = ABCDABCDABCD deleted ComponentID :Cisco CUCM Administration
App ID:Cisco Tomcat Cluster ID: Node ID:rratliff-cm7|<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Access log:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>[19/May/2010:16:00:16 -0400] 172.18.251.29 172.18.251.29
administrator - 8443 POST /ccmadmin/phoneDelete.do HTTP/1.1 200 73099 383<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Again, nothing terribly useful in the access log other than
I deleted some phone. However if we look a few lines above we see this:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>[19/May/2010:16:00:10 -0400] 172.18.251.29 172.18.251.29
administrator - 8443 GET /ccmadmin/gendeviceEdit.do
?key=fe651e23-fb2b-14d2-5a30-5843f9172658 HTTP/1.1 200 300148 958<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>This tells me that the same source IP, and same userid went
into a phone's device page (gendeviceEdit.do) and the device had a pkid
of fe651e23-fb2b-14d2-5a30-5843f9172658.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>A quick peek into the ccm device table in a backup, or maybe
even in the installdb log file from the last upgrade would let you tie that
pkid to a device name.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<div>
<p class=MsoNormal>-Ryan<o:p></o:p></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On May 19, 2010, at 3:46 PM, Jason Aarons (US) wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I had a customer use the CLI to query the database and show a
line with a userid and what he changed. Since it wasn’t my userid or my teams I
didn’t pay much attention. But in short someone deleted a DN in
production causing a outage and he was tracing it back. Turns out it was his
teammate. I haven’t used the Audi GUI view or recall what the
CLI query was.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;
border-width:initial;border-color:initial'>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
class=apple-converted-space><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span></span><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><a
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a><span
class=apple-converted-space> </span>[mailto:cisco-voip-bounces@puck.nether.net]<span
class=apple-converted-space> </span><b>On Behalf Of<span
class=apple-converted-space> </span></b>Matthew Saskin<br>
<b>Sent:</b><span class=apple-converted-space> </span>Wednesday, May 19,
2010 12:17 PM<br>
<b>To:</b><span class=apple-converted-space> </span><a
href="mailto:l.durso@gmail.com">l.durso@gmail.com</a><br>
<b>Cc:</b><span class=apple-converted-space> </span><a
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b><span class=apple-converted-space> </span>Re: [cisco-voip]
R: A way to track admin changes in CUCM 6.x</span><o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'>The audit feature in 7x+ isn't
all that useful. It does not give you details on who made specific
changes.<br>
<br clear=all>
Matthew Saskin<br>
<a href="mailto:msaskin@gmail.com">msaskin@gmail.com</a><br>
203-253-9571<br>
<br>
July 18, 2010 - 1500m swim (in the hudson), 40k bike, 10k run<br>
Please support the Leukemia & Lyphoma Society<br>
<a href="http://pages.teamintraining.org/nyc/nyctri10/msaskin">http://pages.teamintraining.org/nyc/nyctri10/msaskin</a><br>
<br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal>On Wed, May 19, 2010 at 11:54 AM, Leonardo D'Urso <<a
href="mailto:l.durso@gmail.com">l.durso@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Hi Rob<br>
<br>
I know this is the audit feature. It is supported since 7.x.<br>
<br>
Ciao<br>
Leonardo<br>
<br>
---<br>
<span style='color:#888888'>Leonardo D'Urso<br>
<a href="mailto:l.durso@gmail.com">l.durso@gmail.com</a><br>
Sent from my BlackBerry®</span><o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=MsoNormal><br>
-----Original Message-----<br>
From: "Leetun, Rob" <<a href="mailto:rleetun@bouldercounty.org">rleetun@bouldercounty.org</a>><br>
Date: Wed, 19 May 2010 09:43:02<br>
To: <<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>><br>
Subject: [cisco-voip] A way to track admin changes in CUCM 6.x<br>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=1 width="100%" align=center>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<p><strong>Disclaimer: This e-mail communication and any attachments may
contain confidential and privileged information and is for use by the
designated addressee(s) named above only. If you are not the intended
addressee, you are hereby notified that you have received this communication in
error and that any use or reproduction of this email or its contents is
strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to this
message and deleting it from your computer. Thank you.</strong><o:p></o:p></p>
<p class=MsoNormal>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
<DIV> </DIV>Disclaimer: NOTICE The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Raya will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any malicious code or virus being passed on. Views expressed in this communication are not necessarily those of Raya.If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return and/or destroy the original message. </body>
</html>