Centralized audit logging ensures that configuration changes to the Unified Communications Manager system gets logged in separate log files for auditing. An audit event represents any event that is required to be logged.
The following Unified Communications Manager components generate audit events:
-
Cisco Unified Communications Manager Administration
-
Cisco Unified Serviceability
-
Unified Communications Manager CDR Analysis and Reporting
-
Cisco Unified Real-Time Monitoring Tool
-
Cisco Unified Communications Operating System
-
Disaster Recovery System
-
Database
-
Command Line Interface
-
Remote Support Account Enabled (CLI commands issued by technical supports teams)
In Cisco Business Edition 5000, the following Cisco Unity Connection components also generate audit events:
-
Cisco Unity Connection Administration
-
Cisco Personal Communications Assistant (Cisco PCA)
-
Cisco Unity Connection Serviceability
-
Cisco Unity Connection clients that use the Representational State Transfer (REST) APIs
The following example displays a sample audit event:
CCM_TOMCAT-GENERIC-3-AuditEventGenerated: Audit Event Generated UserID:CCMAdministrator Client IP Address:172.19.240.207 Severity:3 EventType:ServiceStatusUpdated ResourceAccessed: CCMService EventStatus:Successful Description: Call Manager Service status is stopped App ID:Cisco Tomcat Cluster ID:StandAloneCluster Node ID:sa-cm1-3
Audit logs, which contain information about audit events, get written in the common partition. The Log Partition Monitor (LPM)
manages the purging of these audit logs as needed, similar to trace files. By default, the LPM purges the audit logs, but
the audit user can change this setting from the Audit User Configuration window in Cisco Unified Serviceability. The LPM sends an alert whenever the common partition disk usage exceeds the threshold; however, the alert does not have
the information about whether the disk is full because of audit logs or trace files.
Tip
|
The Cisco Audit Event Service, which is a network service that supports audit logging, displays in Control Center—Network
Services in Cisco Unified Serviceability. If audit logs do not get written, then stop and start this service by choosing in Cisco Unified Serviceability.
|
All audit logs get collected, viewed and deleted from Trace and Log Central in the Cisco Unified Real-Time Monitoring Tool. Access the audit logs in RTMT in Trace and Log Central. Go to . After you select the node, another window displays .
The following types of audit logs display in RTMT:
Application Log
The application audit log, which displays in the AuditApp folder in RTMT, provides configuration changes for Cisco Unified Communications Manager Administration, Cisco Unified Serviceability, the CLI, Cisco Unified Real-Time Monitoring Tool (RTMT), Disaster Recovery System, and Cisco Unified CDR Analysis and Reporting (CAR). For Cisco Business Edition 5000, the application audit log also logs changes for Cisco Unity Connection Administration, Cisco Personal Communications Assistant (Cisco PCA), Cisco Unity Connection Serviceability, and clients that use the Representational State Transfer (REST) APIs.
Although the Application Log stays enabled by default, you can configure it in Cisco Unified Serviceability by choosing . For a description of the settings that you can configure for audit log configuration, see Cisco Unified Serviceability Administration Guide.
If the audit logs get disabled in Cisco Unified Serviceability, no new audit log files get created.
Tip
|
Only a user with an audit role has permission to change the Audit Log settings. By default, the CCMAdministrator has the audit
role after fresh installs and upgrades. The CCMAdministrator can assign the "standard audit users" group to a new user that the CCMAdministrator specifically creates for audit purposes. The CCMAdministrator can then be removed
from the audit user group. The "standard audit log configuration" role provides the ability to delete audit logs, read/update access to Cisco Unified Real-Time Monitoring Tool, Trace Collection Tool, RTMT Alert Configuration, the Control Center - Network Services window, RTMT Profile Saving, the
Audit Configuration window, and a new resource called Audit Traces. For Cisco Unity Connection in Cisco Business Edition 5000, the application administration account that was created during installation has the Audit Administrator role and can assign
other administrative users to the role.
|
Unified Communications Manager creates one application audit log file until the configured maximum file size is reached; then, it closes and creates a new
application audit log file. If the system specifies rotating the log files, Unified Communications Manager saves the configured number of files. Some of the logging events can be viewed by using RTMT SyslogViewer.
The following events get logged for Cisco Unified Communications Manager Administration:
-
User logging (user logins and user logouts).
-
User role membership updates (user added, user deleted, user role updated).
-
Role updates (new roles added, deleted, or updated).
-
Device updates (phones and gateways).
-
Server configuration updates (changes to alarm or trace configurations, service parameters, enterprise parameters, IP addresses,
host names, Ethernet settings, and Unified Communications Manager server additions or deletions).
The following events get logged for Cisco Unified Serviceability:
-
Activation, deactivation, start, or stop of a service from any Serviceability window.
-
Changes in trace configurations and alarm configurations.
-
Changes in SNMP configurations.
-
Changes in CDR Management.
-
Review of any report in the Serviceability Reports Archive. View this log on the reporter node.
RTMT logs the following events with an audit event alarm:
-
Alert configuration.
-
Alert suspension.
-
E-mail configuration.
-
Set node alert status.
-
Alert addition.
-
Add alert action.
-
Clear alert.
-
Enable alert.
-
Remove alert action.
-
Remove alert.
The following events get logged for Unified Communications Manager CDR Analysis and Reporting:
-
Scheduling the CDR Loader.
-
Scheduling the daily, weekly, and monthly user reports, system reports, and device reports.
-
Mail parameters configurations.
-
Dial plan configurations.
-
Gateway configurations.
-
System preferences configurations.
-
Autopurge configurations.
-
Rating engine configurations for duration, time of day, and voice quality.
-
QoS configurations.
-
Automatic generation/alert of pregenerated reports configurations.
-
Notification limits configurations.
The following events gets logged for Disaster Recovery System:
-
Backup initiated successfully/failed
-
Restore initiated successfully/failed
-
Backup cancelled successfully
-
Backup completed successfully/failed
-
Restore completed successfully/failed
-
Save/update/delete/enable/disable of backup schedule
-
Save/update/delete of destination device for backup
For Cisco Business Edition 5000, Cisco Unity Connection Administration logs the following events:
-
User logging (user logins and user logouts).
-
All configuration changes, including but not limited to users, contacts, call management objects, networking, system settings,
and telephony.
-
Task management (enabling or disabling a task).
-
Bulk Administration Tool (bulk creates, bulk deletes).
-
Custom Keypad Map (map updates)
For Cisco Business Edition 5000, Cisco PCA logs the following events:
For Cisco Business Edition 5000, Cisco Unity Connection Serviceability logs the following events:
-
User logging (user logins and user logouts).
-
All configuration changes.
-
Activating, deactivating, starting or stopping services.
For Cisco Business Edition 5000, clients that use the REST APIs log the following events:
Database Log
The database audit log, which displays in the informix folder in RTMT, reports database changes. This log, which is not enabled
by default, gets configured in Cisco Unified Serviceability by choosing . For a description of the settings that you can configure for audit log configuration, see Cisco Unified Serviceability.
This audit differs from the Application audit because it logs database changes, and the Application audit logs application
configuration changes. The informix folder does not display in RTMT unless database auditing is enabled in Cisco Unified Serviceability.
Operating System Log
The operating system audit log, which displays in the vos folder in RTMT, reports events that are triggered by the operating
system. It does not get enabled by default. The utils auditd CLI command enables, disables, or gives status about the events.
The vos folder does not display in RTMT unless the audit is enabled in the CLI.
For information on the CLI, see Command Line Interface Reference Guide for Cisco Unified Solutions.
Remote Support Acct Enabled Log
The Remote Support Acct Enabled audit log, which displays in the vos folder in RTMT, reports CLI commands that get issued
by technical support teams. You cannot configure it, and the log gets created only if the Remote Support Acct gets enabled
by the technical support team.