Introduction
Variphy’s Log Analysis provides the ability to analyze, search, and identify specific log file information for CUCM, UCCX, and CUC Version 7.1 and newer.
CUCM User Audit Logs store a myriad of administrative activity event data, including CUCM user login information, move/add/change/delete (MACD) configuration changes, and command line (CLI) activity for the CUCM server consoles.
Log Analysis in Variphy enables specific events and/or information to be filtered and located within 1 or multiple log files, for example, to identify who made a specific change and the IP address it originated from within a certain time period.
As of CUCM version 9.1.2, changes to Device Defaults (such as changing the device pool, phone button template or firmware load) for a phone model still do not appear in CUCM Audit Logs, and thus will not appear in Log Analysis in Variphy.
However, as part of a firmware change in CUCM, the TFTP Service must be restarted for the devices to download the new firmware. The TFTP Service restart will show up in the Audit Logs, which should help identify which user made such a change.
Section 1: Configuration
Variphy requires that the User Audit Log files be retrieved from the Cisco server and stored on the application’s file system. Before using Log Analysis for a Cluster, Variphy must be configured to locate the specific User Audit Log files on the file system, by entering in the directory path location relative to the Variphy Server.
When selecting the Log Analysis Tab for a given Cluster, an error message will be shown if the Audit Log Directory has not yet been entered, is invalid, or does not exist.
Audit Log Directory
For each Cluster in Variphy for which Log Analysis should be enabled, a unique directory/folder on the file system must be identified to store, identify, and access the Audit Log files. If necessary, create the desired folder location(s) for each Cluster accordingly. This folder location must be accessible from the Variphy Insight installation directory.
If there are multiple Clusters, remember to use and specify a unique and separate directory for each Cluster, so that the Audit Log files can be organized accordingly and no unwanted overlap occurs amongst Clusters.
In this example, the Audit Log Directory is E:\Data\AuditLogs. To configure this directory location in Variphy Insight:
Variphy on Windows Server
1) Hover over the Setup – Clusters tab.
2) Select the type of Cluster that will be configured. (CUCM, Unity Connection or UCCX).
3) By default all configured Clusters will be shown. Select the desired Cluster to edit or add a new Cluster if necessary.
4) On the Edit Cluster page scroll down to the Log Analysis section. Here, specify the directory path for the Audit Log Directory
** Note: Ensure that this directory exists on the server’s file system and is accessible from the Variphy Insight installation directory.
Variphy on Variphy’s Linux OVA
1) Hover over the Setup – Clusters tab.
2) Select the type of Cluster that will be configured. (CUCM, Unity Connection or UCCX).
3) By default all configured Clusters will be shown. Select the desired Cluster to edit or add a new Cluster if necessary.
4) Variphy’s Linux OVA comes pre-built with configured Download Directory Path for Audit Logs. Use /opt/Variphy/Data/Cluster1/Logs. Replace ‘Cluster1’ with folder name designated for that cluster.
Section 2: Retrieving CUCM Audit Logs
User Audit Logs can be retrieved from CUCM via a “pull” or “push” method, through the use of the Cisco Real-Time Monitoring Tool (RTMT). RTMT comes included with CUCM, and is available for download via the “Plugins” link of the “Applications” section of CUCM Administration.
Manually Downloading CUCM Audit Logs
The download or “pull” of the User Audit Logs from CUCM can be done via RTMT. If RTMT runs on the same machine as Variphy Insight, the log files can be downloaded directly to the local file system, where it can be accessed by Variphy Insight. If RTMT is run on a different machine, the log files it downloads can then be easily uploaded to Variphy Insight via its web interface.
Begin by launching RTMT and logging into the appropriate CUCM Server
Login with the appropriate CUCM Admin login credentials (note that this may be on the previous screen, depending on the RTMT version).
Once the GUI completes loading, click to select Trace and Log Central under Tools on the left menu, then double click to open Audit Logs.
The Action Options screen will appear, showing the choice to download Audit Logs either manually or via a scheduled download.
To manually download Audit Logs, select the Download Audit Logs option and click Next. To schedule automatic Audit Log delivery, see the Scheduling CUCM Audit Log Delivery section below in this document.
Under “Nodes Selection Options”, select any/all appropriate CUCM Servers. Each CUCM Server will create and log its own set of Audit Log files.
Under Collection Time, select the appropriate time range for Audit Log data. For example, if the current month’s User Audit information is desired, then choose this time range. Any User Audit Log files which have entries for the selected time range will be downloaded.
Under Download File Options, choose the folder location where the Audit Logs should be downloaded to.
If RTMT is running on the same server as Variphy
The Audit Log files can be downloaded directly to the same Audit Log Directory location which Variphy Insight is configured to look for the selected Cluster. In this scenario, DO NOT ENABLE the “Zip All Files” option, as Variphy Insight will not look in zip files when searching for Audit Log files.
If RTMT is NOT running on the same server as Variphy
The Audit Log files can be downloaded as a single zip file and then uploaded to Variphy Insight. For more information, see the Uploading CUCM Audit Logs via the Variphy Insight Web User Interface section below.
In this scenario, enable the “Zip all Files” option to download the files as a single zip file.
When ready, click Finish to begin the download process. The resulting screen will indicate the download progress and completion.
Once completed, 2 types of Audit Log files will be downloaded, “Audit App” and “vos”. Log Analysis in Variphy Insight is currently only for the “Audit App” files, so the other files can be deleted as they will be ignored.
Uploading CUCM Audit Logs via the Variphy Web User Interface
To upload a single or multiple User Log files compressed together within a zip file, select the Log Analysis Tab for the appropriate CUCM Cluster.
Click the Upload Log Files button to reveal the Upload options, then choose the desired type and file to upload.
Select whether it is a single log file or a zip file containing multiple log files and then click the Upload button.
Variphy will save the files (if zip file is uploaded, files will be extracted) to a unique directory named as the current date and time within the Audit Log Directory specified for this Cluster.
If successful, the uploaded files will appear in the resulting Audit Log File list.
Scheduling CUCM Audit Log Delivery
In this scenario, RTMT is only used to create, configure, and initiate the scheduled log collection. This does not require RTMT to always be running.
This process results in the configuration of CUCM to automatically push its User Audit Log files to the Variphy Server via either FTP or SFTP. This requires the use of a SFTP/FTP Server on the Variphy Server in order to receive the log files from CUCM and consistent ongoing IP connectivity from the CUCM Publisher to the Variphy Server.
Begin by launching RTMT and logging into the appropriate CUCM Server
Login with the appropriate CUCM Admin login credentials (note that this may be on the previous screen, depending on the RTMT version).
Once the GUI completes loading, click to select “Trace and Log Central” under Tools on the left menu, then double click to open “Audit Logs”.
The Action Options screen will appear, showing the choice to download Audit Logs either manually download or via a schedule. Select the Schedule Download of Audit Logs option and click Next.
Under Nodes Selection Options, select any/all appropriate CUCM Servers.
Under Schedule Time, select the desired Time Zone for the log entries to be associated with and the appropriate Schedule Start and End Date/Time, along with the Frequency, for log collection. Since RTMT insists that a Schedule End Time is specified, enter a date/time far off in the future (such as 3 years) to create a long-lasting schedule.
The Frequency selected will determine how often new log file are available for analysis in Variphy Insight.
For example, if Log Analysis will be performed for user activity for the previous day as opposed to the previous week or month, set the appropriate Frequency to ensure the data is properly collected when needed.
Under Action Options, check the box next to Download Files.
The Trace Download Configuration window will appear.
Select SFTP/FTP Server. The Localhost option is not supported for Cisco Unified Communications Manager (as described the Cisco RTMT help guide).
Variphy on Windows Server
Select the appropriate Protocol to be used.
Enter the host IP address of the Variphy Server, which CUCM will use as its destination for sending its Audit Log files.
Enter the FTP Server user name and password, which CUCM will use as authentication to the FTP server.
Enter the Port and Download Directory Path, which CUCM will use as its destination to send its Audit Log files. Port 21 should be used for FTP and Port 22 for SFTP.
Once complete, click the Test Connection button, and then if successful, click the Ok button.
In the screenshot example shown below, the IP address of the Variphy Server is 10.20.30.10 and the FTP Server is configured to run on port 21 (which is the default for FTP). A user account with username “RTMT” is configured on the FTP Server, with “Write” privileges to the Download Directory Path specified. This will allow CUCM to upload files as opposed to just downloading.
By entering “/” as the Download Directory Path, CUCM will upload its files to the home root directory of the user account (“RTMT” in this example) as configured in the FTP Server. The home directory for the user can and should then be configured appropriately in the FTP Server.
For Log Analysis, the home directory of the user account in the FTP Server should be configured to be the same as the Audit Log Directory for this Cluster.
Test Connection to confirm communication functionality. Once test successfully completes, click the Finish button to schedule the log collection.
Variphy on Variphy’s Linux OVA
Select SFTP as the appropriate Protocol to be used.
Enter the host IP address of the Variphy Server, which CUCM will use as its destination for sending its Audit Log files.
Enter the SFTP Server user name variphyadmin and password V@riphy!!, which CUCM will use as authentication to the SFTP server pre-loaded on the Linux OVA.
Enter Port 22 for SFTP
Variphy’s Linux OVA comes bre-built with configured Download Directory Path for Audit Logs. Use /opt/Variphy/Data/Cluster1/Logs. Replace ‘Cluster1’ with folder name designated for that cluster.
Once complete, click the Test Connection button, and then if successful, click the Ok button.
Section 3: Using Log Analysis
To access and use Log Analysis, select the Log Analysis tab from the main navigation in Variphy Insight.
Selecting User Audit Logs for Analysis
Filtering and Search for Events
Once at least 1 User Audit Log file has been selected, a list Filter & Search Options will be shown.
Log data can be filtered by clicking any of the available filter links and selecting or de-selecting any of the filter entries. For example, for “Event Type“, uncheck “User Logging” events to hide it from view.
** Note: Ensure that each filter has at least 1 option selected.
To search for a specific configuration change, a search keyword (such as a directory number or phone’s name/MAC address) can also be entered into the ‘Search’ text field box. The search will be applied in combination with the Filters applied.
When ready, click the ‘View Events’ button to view the event results.
Viewing Events
The event results detail each Audit log entry for the selected Filters and Search Options (if applicable).
Each log entry contains a date and time, which by default is in the time zone in which the CUCM server logs were retrieved from. When downloading log files via RTMT, a time zone can be specified.
Event type ‘General Configuration Update’ are configuration changes that have been made to the CUCM system. The Details column will show the specific update information.
For an event or change in question, such as a service restart or a critical update made to a phone or device, Log Analysis in Variphy Insight will help identify the user who executed the change or update, when it was performed, and from which IP address.
Exporting Events
The event results can be exported to either a PDF or CSV file, by clicking the Export To File button.
Section 4: Troubleshooting Log Analysis
Audit Log Directory Not Specified or Invalid
If the Audit Log Directory for the selected CUCM Cluster in Variphy has not yet been specified or does not exist on the filesystem, the following error message will be shown.
Specifiy, and create id necessary, the appropriate Audit Log Directory path for this CUCM Cluster in Variphy. See Section 1: CONFIGURATION for more information.
