Audit Log Configuration Settings

Before You Begin

Be aware that only a user with an audit role can change the audit log settings. By default, for Cisco Cisco Unified Communications Manager, the CCMAdministrator possesses the audit role after fresh installs and upgrades. The CCMAdministrator can assign any user that has auditing privileges to the Standard Audit Users group in the User Group Configuration window in Cisco Cisco Unified Communications Manager Administration. If you want to do so, you can then remove CCMAdministrator from the Standard Audit Users group.

For IM and Presence Service, the administrator possesses the audit role after fresh installs and upgrades, and can assign any user that has auditing privileges to the Standard Audit Users group.

For Cisco Unity Connection, the application administration account that was created during installation has the Audit Administrator role and can assign other administrative users to the role. You can also remove the Audit Administrator role from this account.

The Standard Audit Log Configuration role is to provide the ability to delete audit logs and to read/update access to Cisco Unified Real-Time Monitoring Tool, IM and Presence Real-Time Monitoring Tool, Trace Collection Tool, Real-Time Monitoring Tool (RTMT) Alert Configuration, Control Center - Network Services in the serviceability user interface, RTMT Profile Saving, Audit Configuration in the serviceability user interface, and a resource that is called Audit Traces.

The Standard Audit Log Configuration role is to provide the ability to delete audit logs and to read/update access to Cisco Unified RTMT, Trace Collection Tool, RTMT Alert Configuration, Control Center - Network Services in Cisco Unified Serviceability, RTMT Profile Saving, Audit Configuration in Cisco Unified Serviceability, and a resource that is called Audit Traces.

The Audit Administrator role in Cisco Unity Connection provides the ability to view, download and delete audit logs in Cisco Unified RTMT.

For information on roles, users, and user groups in Cisco Cisco Unified Communications Manager, refer to the Cisco Cisco Unified Communications Manager Administration Guide.

For information on roles and users in Cisco Unity Connection, refer to the User Moves, Adds, and Changes Guide for Cisco Unity Connection.

For information on roles, users, and user groups in IM and Presence, refer to Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager.

The following table describes the settings that you can configure in the Audit Log Configuration window in Cisco Unified Serviceability.

Audit Log Configuration Settings

Field

Description

Select Server

Server

Choose the server (node) where you want to configure audit logs; then, click Go.

Apply to All Nodes

If you want to apply the audit log configuration to all nodes in the cluster, check the Apply to all Nodes check box.

Application Audit Log Settings

Enable Audit Log

When you check this check box, an audit log gets created for the application audit log.

For Cisco Cisco Unified Communications Manager, the application audit log supports configuration updates for Cisco Cisco Unified Communications Manager user interfaces, such as Cisco Cisco Unified Communications Manager Administration, Cisco Unified RTMT, Cisco Cisco Unified Communications Manager CDR Analysis and Reporting, and Cisco Unified Serviceability.

For IM and Presence Service, the application audit log supports configuration updates for IM and Presence user interfaces, such as Cisco Cisco Unified Communications Manager IM and Presence Administration, Cisco Unified IM and Presence Real-Time Monitoring Tool, and Cisco Unified IM and Presence Serviceability.

For Cisco Unity Connection, the application audit log supports configuration updates for Cisco Unity Connection user interfaces, including Cisco Unity Connection Administration, Cisco Unity Connection Serviceability, Cisco Personal Communications Assistant, and clients that use the Connection REST APIs.

This setting displays as enabled by default.

Note   

The Network Service Audit Event Service must be running.

Enable Purging

The Log Partition Monitor (LPM) looks at the Enable Purging option to determine whether it needs to purge audit logs. When you check this check box, LPM purges all the audit log files in RTMT whenever the common partition disk usage goes above the high water mark; however, you can disable purging by unchecking the check box.

If purging is disabled, the number of audit logs continues to increase until the disk is full. This action could cause a disruption of the system. A message that describes the risk of disabling the purge displays when you uncheck the Enable Purging check box. Be aware that this option is available for audit logs in an active partition. If the audit logs reside in an inactive partition, the audit logs get purged when the disk usage goes above the high water mark.

You can access the audit logs by choosing Trace and Log Central > Audit Logs in RTMT.

Note   

The Network Service Cisco Log Partitions Monitoring tool must be running.

Enable Log Rotation

The system reads this option to determine whether it needs to rotate the audit log files or it needs to continue to create new files. The maximum number of files cannot exceed 5000. When the Enable Rotation check box is checked, the system begins to overwrite the oldest audit log files after the maximum number of files gets reached.

Tip    When log rotation is disabled (unchecked), audit log ignores the Maximum No. of Files setting.

Server Name

Enter the name or IP address of the remote syslog server that you want to use to accept syslog messages. If server name is not specified, Cisco Unified IM and Presence Serviceability does not send the syslog messages. Do not specify a Cisco Cisco Unified Communications Manager node as the destination because the Cisco Cisco Unified Communications Manager node does not accept syslog messages from another server.

This applies to IM and Presence Service only.

Remote Syslog Audit Event Level

Select the desired syslog messages severity for the remote syslog server. All the syslog messages with selected or higher severity level are sent to the remote syslog.

This applies to IM and Presence Service only.

Maximum No. of Files

Enter the maximum number of files that you want to include in the log. The default setting specifies 250. The maximum number specifies 5000.

Maximum File Size

Enter the maximum file size for the audit log. The file size value must remain between 1 MB and 10 MB. You must specify a number between 1 and 10.

Database Audit Log Filter Settings

Enable Audit Log

When you check this check box, an audit log gets created for the Cisco Cisco Unified Communications Manager and Cisco Unity Connection databases. Use this setting in conjunction with the Debug Audit Level setting, which allows you create a log for certain aspects of the database.

Debug Audit Level

This setting allows you to choose which aspects of the database you want to audit in the log. From the drop-down list box, choose one of the following options. Be aware that each audit log filter level is cumulative.

  • Schema - Tracks changes to the setup of the audit log database (for example, the columns and rows in the database tables).
  • Administrative Tasks - Tracks all administrative changes to the Cisco Cisco Unified Communications Manager system (for example, any changes to maintain the system) plus all Schema changes.
    Tip    Most administrators will leave the Administrative Tasks setting disabled. For users who want auditing, use the Database Updates level.
  • Database Updates - Tracks all changes to the database plus all schema changes and all administrative tasks changes.
  • Database Reads - Tracks every read to the system, plus all schema changes, administrative tasks changes, and database updates changes.
    Tip    Choose the Database Reads level only when you want to get a quick look at the Cisco Cisco Unified Communications Manager, IM and Presence Service, or Cisco Unity Connection system. This level uses significant amounts of system resources and should be used only for a short time.

Enable Audit Log Rotation

The system reads this option to determine whether it needs to rotate the database audit log files or it needs to continue to create new files. When the Audit Enable Rotation option check box is checked, the system begins to overwrite the oldest audit log files after the maximum number of files gets reached.

When this setting check box is unchecked, audit log ignores the Maximum No. of Files setting.

Maximum No. of Files

Enter the maximum number of files that you want to include in the log. Ensure that the value that you enter for the Maximum No. of Files setting is greater than the value that you enter for the No. of Files Deleted on Log Rotation setting.

You can enter a number from 4 (minimum) to 40 (maximum).

No. of Files Deleted on Log Rotation

Enter the maximum number of files that the system can delete when database audit log rotation occurs.

The minimum that you can enter in this field is 1. The maximum value is 2 numbers less than the value that you enter for the Max No. of Files setting; for example, if you enter 40 in the Maximum No. of Files field, the highest number that you can enter in the No. of Files Deleted on Log Rotation field is 38.


Caution
When enabled, database logging can generate large amounts of data in a short period, particularly if the debug audit level is set to Database Updates or Database Reads. This can result in a significant performance impact during heavy usage periods. In general, we recommend that you keep database logging disabled. If you do need to enable logging to track changes in the database, we recommend that you do so only for short periods of time, by using the Database Updates level. Similarly, administrative logging does impact on the overall performance of the web user interface, especially when polling database entries (for example, pulling up 250 devices from the database).