With audit logging, configuration changes to the system get logged in separate log files for auditing. The Cisco Audit Event Service, which displays under Control Center - Network Services in the serviceability GUI, monitors and logs any configuration changes to the system that are made by a user or as a result of the user action.
You access the Audit Log Configuration window in the serviceability GUI to configure the settings for the audit logs.
Audit logging contains the following parts:
-
Audit logging framework - The framework comprises an API that uses an alarm library to write audit events into audit logs. An alarm catalog that is defined as GenericAlarmCatalog.xml applies for these alarms. Different system components provide their own logging.
The following example displays an API that a Cisco Cisco Unified Communications Manager component can use to send an alarm:
User ID: CCMAdministratorClient IP Address: 172.19.240.207 Severity: 3 EventType: ServiceStatusUpdated ResourceAccessed: CCMService EventStatus: Successful Description: CallManager Service status is stopped
-
Audit event logging - An audit event represents any event that is required to be logged. The following example displays a sample audit event:
CCM_TOMCAT-GENERIC-3-AuditEventGenerated: Audit Event Generated UserID:CCMAdministrator Client IP Address:172.19.240.207 Severity:3 EventType:ServiceStatusUpdated ResourceAccessed: CCMService EventStatus:Successful Description: Call Manager Service status is stopped App ID:Cisco Tomcat Cluster ID:StandAloneCluster Node ID:sa-cm1-3
Cisco Unified Serviceability Events Logging
Cisco Unified Serviceability logs the following events:
-
Activation, deactivation, start, or stop of a service.
-
Changes in trace configurations and alarm configurations.
-
Changes in SNMP configurations.
-
Changes in CDR management. (Cisco Cisco Unified Communications Manager only)
-
Review of any report in the Serviceability Reports Archive. This log gets viewed on the reporter node. (Cisco Cisco Unified Communications Manager only)
Cisco Unified Real-Time Monitoring Tool Events Logging
Cisco Unified Real-Time Monitoring Tool logs the following events with an audit event alarm:
Cisco Cisco Unified Communications Manager CDR Analysis and Reporting Events Logging
Cisco Cisco Unified Communications Manager CDR Analysis and Reporting (CAR) creates audit logs for these events:
-
Loader scheduling
-
Daily, weekly, and monthly reports scheduling
-
Mail parameters configuration
-
Dial plan configuration
-
Gateway configuration
-
System preferences configuration
-
Autopurge configuration
-
Rating engine configurations for duration, time of day, and voice quality
-
QoS configurations
-
Automatic generation/alert of pregenerated reports configurations.
-
Notification limits configuration
Cisco Cisco Unified Communications Manager Administration Events Logging
The following events get logged for various components of Cisco Cisco Unified Communications Manager Administration:
-
User logging (user logins and user logouts)
-
User role membership updates (user added, user deleted, user role updated)
-
Role updates (new roles added, deleted, or updated)
-
Device updates (phones and gateways)
-
Server configuration updates (changes to alarm or trace configurations, service parameters, enterprise parameters, IP addresses, hostnames, Ethernet settings, and Cisco Cisco Unified Communications Manager server additions or deletions)
Cisco Cisco Unified Communications Manager Administration Events Logging
The following events get logged for various components of Cisco Cisco Unified Communications Manager Administration:
-
User logging (user logins and user logouts)
-
User role membership updates (user added, user deleted, user role updated)
-
Role updates (new roles added, deleted, or updated)
-
Device updates (phones and gateways)
-
Server configuration updates (changes to alarm or trace configurations, service parameters, enterprise parameters, IP addresses, hostnames, Ethernet settings, and Cisco Cisco Unified Communications Manager server additions or deletions)
Cisco Cisco Unified Communications Manager User Options Logging
User logging (user login and user logout) events are logged for Cisco Cisco Unified Communications Manager User Options.
Command-Line Interface Events Logging
All commands issued via the command-line interface are logged (for both Cisco Cisco Unified Communications Manager and Cisco Unity Connection).
Cisco Unity Connection Administration Events Logging
Cisco Unity Connection Administration logs the following events:
-
User logging (user logins and user logouts)
-
All configuration changes, including but not limited to users, contacts, call management objects, networking, system settings, and telephony
-
Task management (enabling or disabling a task)
-
Bulk Administration Tool (bulk creates, bulk deletes)
-
Custom Keypad Map (map updates)
Cisco Personal Communications Assistant (Cisco PCA)
The Cisco Personal Communications Assistant client logs the following events:
Cisco Unity Connection Serviceability Events Logging
Cisco Unity Connection Serviceability logs the following events:
Cisco Unity Connection Clients that Use the Representational State Transfer APIs Events Logging
Cisco Unity Connection clients that use the Representational State Transfer (REST) APIs log the following events:
Cisco Unified IM and Presence Serviceability Events Logging
Cisco Cisco Unified Communications Manager IM and Presence Administration Events Logging
Administrator logging (logins and logouts on IM and Presence interfaces such as Administration, OS Administration, Disaster Recovery System, and Reporting)
User role membership updates (user added, user deleted, user role updated)
Role updates (new roles added, deleted, or updated)
Device updates (phones and gateways)
Server configuration updates (changes to alarm or trace configurations, service parameters, enterprise parameters, IP addresses, hostnames, Ethernet settings, and IM and Presence server additions or deletions)