<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">If you read the online help for the Audit Log Configuration page, there's a tip for the audit level that reads: "Most administrators will leave the Administrative Tasks setting disabled. For users who want auditing, use the Database Updates level." If you set the level to Database Updates I think you'll get most of what you want. I have used audit logs set to this level in order to find out which user logged in from which IP address was the one who changed something at a certain time. I agree with Lelio that snapshotting the actual data is what is truly needed, because the built-in capability would tell you for example that User X updated directory number 5551212. But it won't tell you which specific DN settings were changed.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 15, 2017 at 8:58 AM, Lelio Fulgenzi <span dir="ltr"><<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_8475963640171248086WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I think you’ll find that what’s stored in the Cisco audit logs is not quite what you’d expect, it’s only names and the pages they’ve accessed.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">You’ll need something that does a snapshot compare to truly know what changes were made.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I took a look at a few and settled on Uplinx for a number of reasons (please – no vendor emails to me at this time telling me how their product is better).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The biggest issue we had, was that Cisco still does not make visible all database entities for these products to dip into and create a snapshot. So some things
are missing.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">---<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Lelio Fulgenzi, B.A.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Senior Analyst, Network Infrastructure<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Computing and Communications Services (CCS)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">University of Guelph<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="tel:(519)%20824-4120" value="+15198244120" target="_blank">519-824-4120 Ext 56354</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="http://www.uoguelph.ca/ccs" target="_blank">www.uoguelph.ca/ccs</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Room 037, Animal Science and Nutrition Building<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Guelph, Ontario, N1G 2W1<u></u><u></u></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> cisco-voip [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@<wbr>puck.nether.net</a>]
<b>On Behalf Of </b>naresh rathore<br>
<b>Sent:</b> Wednesday, June 14, 2017 11:18 PM<br>
<b>To:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> [cisco-voip] Audit log Configuration on CUCM, CUP, CUC and UCCX<u></u><u></u></span></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div id="m_8475963640171248086divtagdefaultwrapper">
<p><span style="font-family:"Calibri","sans-serif";color:black">hi,<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">I want to do configuration on CUCM. CUC, CUPS and UCCX so that these server send logs to remote syslog server when somebody make changes to the configuration on these servers. for that i configured
following. <u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">tools > Audio Log Configuration<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Enable Audit Log<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Enable Purging<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Enable log rotation<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Remote Syslog:<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Server Name: <ip addr of syslog server> Remote Syslog Audit Event Level: Notice<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Database Audit Log Filter Settings:<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Enable audit log Debut Audit Level: Administrative Tasks<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Output Settings<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Enable audit log rotation<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Maximum number of Files: 40<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">No. of Files Deleted on Log Rotation: 20<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Are above configuration steps are enough for the us to see the changes done on these servers?<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Regards<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Naray<u></u><u></u></span></p>
</div>
</div></div></div>
</div>
<br>______________________________<wbr>_________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/<wbr>mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>