1. Home
  2. Change Management
  3. Audit Log Analysis Overview & Getting Started Guide

Audit Log Analysis Overview & Getting Started Guide

Introduction

Variphy’s Log Analysis provides the ability to analyze, search, and identify specific log file information for CUCM, UCCX, and CUC Version 7.1 and newer. 

CUCM User Audit Logs store a myriad of administrative activity event data, including CUCM user login information, move/add/change/delete (MACD) configuration changes, and command line (CLI) activity for the CUCM server consoles. 

Log Analysis in Variphy enables specific events and/or information to be filtered and located within 1 or multiple log files, for example, to identify who made a specific change and the IP address it originated from within a certain time period.

As of CUCM version 9.1.2, changes to Device Defaults (such as changing the device pool, phone button template or firmware load) for a phone model still do not appear in CUCM Audit Logs, and thus will not appear in Log Analysis in Variphy.  

However, as part of a firmware change in CUCM, the TFTP Service must be restarted for the devices to download the new firmware.  The TFTP Service restart will show up in the Audit Logs, which should help identify which user made such a change.  


Section 1: Configuration

Variphy requires that the User Audit Log files be retrieved from the Cisco server and stored on the application’s file system. Before using Log Analysis for a Cluster, Variphy must be configured to locate the specific User Audit Log files on the file system, by entering in the directory path location relative to the Variphy Server. 

When selecting the Log Analysis Tab for a given Cluster, an error message will be shown if the Audit Log Directory has not yet been entered, is invalid, or does not exist.

Audit Log Directory

For each Cluster in Variphy for which Log Analysis should be enabled, a unique directory/folder on the file system must be identified to store, identify, and access the Audit Log files.  If necessary, create the desired folder location(s) for each Cluster accordingly.  This folder location must be accessible from the Variphy Insight installation directory. 

If there are multiple Clusters, remember to use and specify a unique and separate directory for each Cluster, so that the Audit Log files can be organized accordingly and no unwanted overlap occurs amongst Clusters.

In this example, the Audit Log Directory is E:\Data\AuditLogs.  To configure this directory location in Variphy Insight:

Variphy on Windows Server

1)      Hover over the Setup – Clusters tab.

2)      Select the type of Cluster that will be configured. (CUCM, Unity Connection or UCCX).

3)      By default all configured Clusters will be shown.  Select the desired Cluster to edit or add a new Cluster if necessary.

4)      On the Edit Cluster page scroll down to the Log Analysis section. Here, specify the directory path for the Audit Log Directory

Log Analysis Directory Path

** Note: Ensure that this directory exists on the server’s file system and is accessible from the Variphy Insight installation directory.

Variphy on Variphy’s Linux OVA

1)      Hover over the Setup – Clusters tab.

2)      Select the type of Cluster that will be configured. (CUCM, Unity Connection or UCCX).

3)      By default all configured Clusters will be shown.  Select the desired Cluster to edit or add a new Cluster if necessary. 

4)      Variphy’s Linux OVA comes pre-built with configured Download Directory Path for Audit Logs. Use /opt/Variphy/Data/Cluster1/Logs. Replace ‘Cluster1’ with folder name designated for that cluster.


Section 2: Retrieving CUCM Audit Logs

User Audit Logs can be retrieved from CUCM via a “pull” or “push” method, through the use of the Cisco Real-Time Monitoring Tool (RTMT). RTMT comes included with CUCM, and is available for download via the “Plugins” link of the “Applications” section of CUCM Administration.

Manually Downloading CUCM Audit Logs

The download or “pull” of the User Audit Logs from CUCM can be done via RTMT. If RTMT runs on the same machine as Variphy Insight, the log files can be downloaded directly to the local file system, where it can be accessed by Variphy Insight. If RTMT is run on a different machine, the log files it downloads can then be easily uploaded to Variphy Insight via its web interface.

Begin by launching RTMT and logging into the appropriate CUCM Server

RTMT Login

Login with the appropriate CUCM Admin login credentials (note that this may be on the previous screen, depending on the RTMT version).

RTMT Authentication

Once the GUI completes loading, click to select Trace and Log Central under Tools on the left menu, then double click to open Audit Logs.

Trace & Log Central

The Action Options screen will appear, showing the choice to download Audit Logs either manually or via a scheduled download.

To manually download Audit Logs, select the Download Audit Logs option and click Next.  To schedule automatic Audit Log delivery, see the Scheduling CUCM Audit Log Delivery section below in this document. 

Download Audit Logs

Under “Nodes Selection Options”, select any/all appropriate CUCM Servers. Each CUCM Server will create and log its own set of Audit Log files. 

Under Collection Time, select the appropriate time range for Audit Log data. For example, if the current month’s User Audit information is desired, then choose this time range. Any User Audit Log files which have entries for the selected time range will be downloaded.  

Under Download File Options, choose the folder location where the Audit Logs should be downloaded to.

If RTMT is running on the same server as Variphy

The Audit Log files can be downloaded directly to the same Audit Log Directory location which Variphy Insight is configured to look for the selected Cluster. In this scenario, DO NOT ENABLE the “Zip All Files” option, as Variphy Insight will not look in zip files when searching for Audit Log files.

If RTMT is NOT running on the same server as Variphy

The Audit Log files can be downloaded as a single zip file and then uploaded to Variphy Insight. For more information, see the Uploading CUCM Audit Logs via the Variphy Insight Web User Interface section below. 

In this scenario, enable the “Zip all Files” option to download the files as a single zip file. 

When ready, click Finish to begin the download process. The resulting screen will indicate the download progress and completion.  

Once completed, 2 types of Audit Log files will be downloaded, “Audit App” and “vos”. Log Analysis in Variphy Insight is currently only for the “Audit App” files, so the other files can be deleted as they will be ignored.

Zip All Files

Uploading CUCM Audit Logs via the Variphy Web User Interface

To upload a single or multiple User Log files compressed together within a zip file, select the Log Analysis Tab for the appropriate CUCM Cluster. 

Click the Upload Log Files button to reveal the Upload options, then choose the desired type and file to upload.

Upload Log Files

Select whether it is a single log file or a zip file containing multiple log files and then click the Upload button.

Variphy will save the files (if zip file is uploaded, files will be extracted) to a unique directory named as the current date and time within the Audit Log Directory specified for this Cluster.

Import Logs

If successful, the uploaded files will appear in the resulting Audit Log File list.

Scheduling CUCM Audit Log Delivery

In this scenario, RTMT is only used to create, configure, and initiate the scheduled log collection. This does not require RTMT to always be running.                                    

This process results in the configuration of CUCM to automatically push its User Audit Log files to the Variphy Server via either FTP or SFTP. This requires the use of a SFTP/FTP Server on the Variphy Server in order to receive the log files from CUCM and consistent ongoing IP connectivity from the CUCM Publisher to the Variphy Server. 

Begin by launching RTMT and logging into the appropriate CUCM Server

RTMT Login

Login with the appropriate CUCM Admin login credentials (note that this may be on the previous screen, depending on the RTMT version).

RTMT Authentication

Once the GUI completes loading, click to select “Trace and Log Central” under Tools on the left menu, then double click to open “Audit Logs”.

Trace & Log Central

The Action Options screen will appear, showing the choice to download Audit Logs either manually download or via a schedule. Select the Schedule Download of Audit Logs option and click Next.

Schedule Download Logs

Under Nodes Selection Options, select any/all appropriate CUCM Servers. 

Under Schedule Time, select the desired Time Zone for the log entries to be associated with and the appropriate Schedule Start and End Date/Time, along with the Frequency, for log collection. Since RTMT insists that a Schedule End Time is specified, enter a date/time far off in the future (such as 3 years) to create a long-lasting schedule.

The Frequency selected will determine how often new log file are available for analysis in Variphy Insight. 

For example, if Log Analysis will be performed for user activity for the previous day as opposed to the previous week or month, set the appropriate Frequency to ensure the data is properly collected when needed. 

Under Action Options, check the box next to Download Files.

Download Files

The Trace Download Configuration window will appear. 

Select SFTP/FTP Server. The Localhost option is not supported for Cisco Unified Communications Manager (as described the Cisco RTMT help guide).

 Variphy on Windows Server

Select the appropriate Protocol to be used. 

Enter the host IP address of the Variphy Server, which CUCM will use as its destination for sending its Audit Log files. 

Enter the FTP Server user name and password, which CUCM will use as authentication to the FTP server. 

Enter the Port and Download Directory Path, which CUCM will use as its destination to send its Audit Log files. Port 21 should be used for FTP and Port 22 for SFTP. 

Once complete, click the Test Connection button, and then if successful, click the Ok button. 

In the screenshot example shown below, the IP address of the Variphy Server is 10.20.30.10 and the FTP Server is configured to run on port 21 (which is the default for FTP). A user account with username “RTMT” is configured on the FTP Server, with “Write” privileges to the Download Directory Path specified. This will allow CUCM to upload files as opposed to just downloading. 

By entering “/” as the Download Directory Path, CUCM will upload its files to the home root directory of the user account (“RTMT” in this example) as configured in the FTP Server.  The home directory for the user can and should then be configured appropriately in the FTP Server.

For Log Analysis, the home directory of the user account in the FTP Server should be configured to be the same as the Audit Log Directory for this Cluster.

Trace Download Config

 Once completed, click the Finish button to schedule the log collection.

Variphy on Variphy’s Linux OVA

Select SFTP as the appropriate Protocol to be used.  

Enter the host IP address of the Variphy Server, which CUCM will use as its destination for sending its Audit Log files.  

Enter the SFTP Server user name variphyadmin and password V@riphy!!, which CUCM will use as authentication to the SFTP server pre-loaded on the Linux OVA.  

Enter Port 22 for SFTP  

Variphy’s Linux OVA comes bre-built with configured Download Directory Path for Audit Logs. Use /opt/Variphy/Data/Cluster1/Logs. Replace ‘Cluster1’ with folder name designated for that cluster. 

Once complete, click the Test Connection button, and then if successful, click the Ok button.


Section 3: Using Log Analysis

To access and use Log Analysis, select the Log Analysis tab from the main navigation in Variphy Insight. 

Selecting User Audit Logs for Analysis

Analyze Selected Files

Filtering and Search for Events

Once at least 1 User Audit Log file has been selected, a list Filter & Search Options will be shown.

Log data can be filtered by clicking any of the available filter links and selecting or de-selecting any of the filter entries. For example, for “Event Type“, uncheck “User Logging” events to hide it from view.

** Note: Ensure that each filter has at least 1 option selected.

Filters
Filters List

To search for a specific configuration change, a search keyword (such as a directory number or phone’s name/MAC address) can also be entered into the ‘Search’ text field box. The search will be applied in combination with the Filters applied. 

When ready, click the ‘View Events’ button to view the event results.

Viewing Events

The event results detail each Audit log entry for the selected Filters and Search Options (if applicable).

Each log entry contains a date and time, which by default is in the time zone in which the CUCM server logs were retrieved from. When downloading log files via RTMT, a time zone can be specified. 

Event type ‘General Configuration Update’ are configuration changes that have been made to the CUCM system. The Details column will show the specific update information.  

For an event or change in question, such as a service restart or a critical update made to a phone or device, Log Analysis in Variphy Insight will help identify the user who executed the change or update, when it was performed, and from which IP address.

Exporting Events

The event results can be exported to either a PDF or CSV file, by clicking the Export To File button.

Export to File

Section 4: Troubleshooting Log Analysis

Audit Log Directory Not Specified or Invalid

If the Audit Log Directory for the selected CUCM Cluster in Variphy has not yet been specified or does not exist on the filesystem, the following error message will be shown. 

Specifiy, and create id necessary, the appropriate Audit Log Directory path for this CUCM Cluster in Variphy.  See  Section 1: CONFIGURATION for more information.

Updated on December 19, 2019

Related Articles