|
Home > Archive > Voice over IP Cisco > July 2006 > MLA command history?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
MLA command history?
|
|
| Robert Kulagowski 2006-07-31, 7:11 am |
| We have MLA turned on (CM 4.1.3). Is there some sort of history
mechanism that would tell us who deleted a route pattern?
| |
| Ryan Ratliff 2006-07-31, 1:11 pm |
| IIS logs in c:\winnt\system32\logfiles\w3svc1\ will show you but
you'll have to do some digging.
I'd recommend adding a new route pattern pointing to a dummy gw, then
deleting it. Look at the IIS log for your delete and take note of
the string invoked. Then search through all the logs for a similar
string that will show you all route patterns deleted, including the
mla username and source IP address.
-Ryan
On Jul 31, 2006, at 8:06 AM, Robert Kulagowski wrote:
We have MLA turned on (CM 4.1.3). Is there some sort of history
mechanism that would tell us who deleted a route pattern?
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Patrick Aland 2006-07-31, 1:11 pm |
| There is an MLA trace file that is a little cryptic but will give you
a general breadcrumb history for a user. Normally in the
c:\Program Files\Cisco\Trace\MLA directory if I recall correctly.
Patrick
On 7/31/06, Robert Kulagowski <bob@smalltime.com> wrote:
> We have MLA turned on (CM 4.1.3). Is there some sort of history
> mechanism that would tell us who deleted a route pattern?
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
--
--Patrick
| |
| Robert Kulagowski 2006-07-31, 1:11 pm |
| > There is an MLA trace file that is a little cryptic but will give you
> a general breadcrumb history for a user. Normally in the
> c:\Program Files\Cisco\Trace\MLA directory if I recall correctly.
I just took a look, and unless there's some debug level that isn't
turned up high enough, the details just aren't there. I was really
hoping for something like "user x: action: delete route pattern 8.090!"
or something similar.
Is this level of detail available? It's difficult to perform a
post-mortem with what's in there now.
| |
| Lelio Fulgenzi 2006-07-31, 1:11 pm |
| All I ever found, even after turning debug on, was the URL that the person visited. Nothing about database changes.
There is a product from Arcana Networks called ManageExpress that was built for CallManager express, but I've been told they recently upgraded it for CallManager compatibilitiy. I have yet to test it out but it looks like it has what you (we're) looking for.
If you test it out and it works, let us know. ;)
----- Original Message -----
From: Robert Kulagowski
To: cisco-voip@puck.nether.net
Sent: Monday, July 31, 2006 8:53 AM
Subject: Re: [cisco-voip] MLA command history?
> There is an MLA trace file that is a little cryptic but will give you
> a general breadcrumb history for a user. Normally in the
> c:\Program Files\Cisco\Trace\MLA directory if I recall correctly.
I just took a look, and unless there's some debug level that isn't
turned up high enough, the details just aren't there. I was really
hoping for something like "user x: action: delete route pattern 8.090!"
or something similar.
Is this level of detail available? It's difficult to perform a
post-mortem with what's in there now.
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Lelio Fulgenzi 2006-07-31, 1:11 pm |
| All I ever found, even after turning debug on, was the URL that the person visited. Nothing about database changes.
There is a product from Arcana Networks called ManageExpress that was built for CallManager express, but I've been told they recently upgraded it for CallManager compatibilitiy. I have yet to test it out but it looks like it has what you (we're) looking for.
If you test it out and it works, let us know. ;)
----- Original Message -----
From: Robert Kulagowski
To: cisco-voip@puck.nether.net
Sent: Monday, July 31, 2006 8:53 AM
Subject: Re: [cisco-voip] MLA command history?
> There is an MLA trace file that is a little cryptic but will give you
> a general breadcrumb history for a user. Normally in the
> c:\Program Files\Cisco\Trace\MLA directory if I recall correctly.
I just took a look, and unless there's some debug level that isn't
turned up high enough, the details just aren't there. I was really
hoping for something like "user x: action: delete route pattern 8.090!"
or something similar.
Is this level of detail available? It's difficult to perform a
post-mortem with what's in there now.
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Lelio Fulgenzi 2006-07-31, 1:11 pm |
| I'm not sure if the SQL transaction logs will help, i.e. do they post the userID and if so, is it the CMdirectory userID?, but it would seem something like this might do the trick:
http://www.apexsql.com/sql_tools_log.asp
----- Original Message -----
From: Lelio Fulgenzi
To: Robert Kulagowski ; cisco-voip@puck.nether.net
Sent: Monday, July 31, 2006 10:19 AM
Subject: Re: [cisco-voip] MLA command history?
All I ever found, even after turning debug on, was the URL that the person visited. Nothing about database changes.
There is a product from Arcana Networks called ManageExpress that was built for CallManager express, but I've been told they recently upgraded it for CallManager compatibilitiy. I have yet to test it out but it looks like it has what you (we're) looking for.
If you test it out and it works, let us know. ;)
----- Original Message -----
From: Robert Kulagowski
To: cisco-voip@puck.nether.net
Sent: Monday, July 31, 2006 8:53 AM
Subject: Re: [cisco-voip] MLA command history?
> There is an MLA trace file that is a little cryptic but will give you
> a general breadcrumb history for a user. Normally in the
> c:\Program Files\Cisco\Trace\MLA directory if I recall correctly.
I just took a look, and unless there's some debug level that isn't
turned up high enough, the details just aren't there. I was really
hoping for something like "user x: action: delete route pattern 8.090!"
or something similar.
Is this level of detail available? It's difficult to perform a
post-mortem with what's in there now.
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Ryan Ratliff 2006-07-31, 1:11 pm |
| I really doubt the SQL logs will show the MLA userid.
IIS logs are the way to go. It's really not that bad if you take
the time to know what to look for.
-Ryan
On Jul 31, 2006, at 10:56 AM, Lelio Fulgenzi wrote:
I'm not sure if the SQL transaction logs will help, i.e. do they post
the userID and if so, is it the CMdirectory userID?, but it would
seem something like this might do the trick:
http://www.apexsql.com/sql_tools_log.asp
----- Original Message -----
From: Lelio Fulgenzi
To: Robert Kulagowski ; cisco-voip@puck.nether.net
Sent: Monday, July 31, 2006 10:19 AM
Subject: Re: [cisco-voip] MLA command history?
All I ever found, even after turning debug on, was the URL that the
person visited. Nothing about database changes.
There is a product from Arcana Networks called ManageExpress that was
built for CallManager express, but I've been told they recently
upgraded it for CallManager compatibilitiy. I have yet to test it out
but it looks like it has what you (we're) looking for.
If you test it out and it works, let us know. ;)
----- Original Message -----
From: Robert Kulagowski
To: cisco-voip@puck.nether.net
Sent: Monday, July 31, 2006 8:53 AM
Subject: Re: [cisco-voip] MLA command history?
> There is an MLA trace file that is a little cryptic but will give you
> a general breadcrumb history for a user. Normally in the
> c:\Program Files\Cisco\Trace\MLA directory if I recall correctly.
I just took a look, and unless there's some debug level that isn't
turned up high enough, the details just aren't there. I was really
hoping for something like "user x: action: delete route pattern 8.090!"
or something similar.
Is this level of detail available? It's difficult to perform a
post-mortem with what's in there now.
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Wes Sisk 2006-07-31, 1:11 pm |
| The MLA access logs tell you a little bit:
http://www.cisco.com/en/US/customer....html#wp1025731
07/31/ 06:11:23:31:Access:|ccmadministrator|acc
ess||/CCMAdmin/_RemoteScripts/rs_system.asp||deleteRoutePattern
: called with Full Access
07/31/ 06:11:24:18:Access:|ccmadministrator|acc
ess||/CCMAdmin/_RemoteScripts/rs_system.asp||deleteRoutePattern
: called with Full Access
But as Ryan said, this IIS logs tell you more.
/Wes
Robert Kulagowski wrote:
> We have MLA turned on (CM 4.1.3). Is there some sort of history
> mechanism that would tell us who deleted a route pattern?
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
| |
| Robert Kulagowski 2006-07-31, 1:11 pm |
| Wes Sisk wrote:
> The MLA access logs tell you a little bit:
> http://www.cisco.com/en/US/customer....html#wp1025731
>
>
> 07/31/ 06:11:23:31:Access:|ccmadministrator|acc
ess||/CCMAdmin/_RemoteScripts/rs_system.asp||deleteRoutePattern
> : called with Full Access
> 07/31/ 06:11:24:18:Access:|ccmadministrator|acc
ess||/CCMAdmin/_RemoteScripts/rs_system.asp||deleteRoutePattern
> : called with Full Access
>
> But as Ryan said, this IIS logs tell you more.
It turns out that in this case it wasn't a delete; it was an update that
should have been a copy.
I haven't had the cycles to investigate, so I'll have to check if there
would have been sufficient details in the IIS logs to determine what
happened.
| |
|
|
|
|
| Ryan Ratliff 2006-07-31, 1:11 pm |
| Here is a line from the IIS log on my 4.1(3) server after I did an
update to a 413XXXX route pattern.
2006-07-31 17:17:44 14.48.39.100 administrator 14.48.39.100 443 GET /
CCMAdmin/_RemoteScripts/rs_system.asp
_method=updateRoutePattern&_mtype=execute&pcount=41&p0=%
7BF96BF080-282E-43A7-AD45-576F5C62DCB3%7D&p1=5&p2=421XXXX
There is a lot more to the line but I've included just the important
parts.
The first IP address is the source IP addr, the second is the server
IP address. The username is pretty obvious, my server does not have
MLA enabled.
GET is the operation, and what follows is the good stuff. p0 is the
SQL pkid of the route pattern, found in the NumPlan table (%7b = { so
the actual pkid in my case starts with F96B). p2 is the actual route
pattern (421XXXX in my case). Between these two you should be able
to identify the correct route pattern.
The search string you'll want to use is "updateRoutePattern".
So to put it all together, run the following command from a cmd
prompt to get all the route pattern udpates from today.
findstr updateRoutePattern c:\winnt\system32\logfiles\w3svc1
\ex060731.log > routepatternupdates.txt
This will dump all the updates into the current directory. From
there just take a look and see what you have.
-Ryan
On Jul 31, 2006, at 11:45 AM, Robert Kulagowski wrote:
Wes Sisk wrote:
> The MLA access logs tell you a little bit:
> http://www.cisco.com/en/US/customer.../voicesw/ps556/
> products_administration_guide_chapter091
86a00803eda81.html#wp1025731
>
>
> 07/31/ 06:11:23:31:Access:|ccmadministrator|acc
ess||/CCMAdmin/
> _RemoteScripts/rs_system.asp||deleteRoutePattern
> : called with Full Access
> 07/31/ 06:11:24:18:Access:|ccmadministrator|acc
ess||/CCMAdmin/
> _RemoteScripts/rs_system.asp||deleteRoutePattern
> : called with Full Access
>
> But as Ryan said, this IIS logs tell you more.
It turns out that in this case it wasn't a delete; it was an update that
should have been a copy.
I haven't had the cycles to investigate, so I'll have to check if there
would have been sufficient details in the IIS logs to determine what
happened.
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Simon, Bill 2006-07-31, 1:11 pm |
| This is horribly cryptic. How about a reporting tool that tells it in plain
English (or French, or Chinese, or whatever) ?
> -----Original Message-----
> From: Ryan Ratliff [mailto:rratliff@cisco.com]
> Sent: Monday, July 31, 2006 1:30 PM
> To: Robert Kulagowski
> Cc: cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] MLA command history?
>
> Here is a line from the IIS log on my 4.1(3) server after I did an
> update to a 413XXXX route pattern.
>
> 2006-07-31 17:17:44 14.48.39.100 administrator 14.48.39.100 443 GET /
> CCMAdmin/_RemoteScripts/rs_system.asp
> _method=updateRoutePattern&_mtype=execute&pcount=41&p0=%
> 7BF96BF080-282E-43A7-AD45-576F5C62DCB3%7D&p1=5&p2=421XXXX
>
> There is a lot more to the line but I've included just the important
> parts.
>
> The first IP address is the source IP addr, the second is the server
> IP address. The username is pretty obvious, my server does not have
> MLA enabled.
> GET is the operation, and what follows is the good stuff. p0 is the
> SQL pkid of the route pattern, found in the NumPlan table
> (%7b = { so
> the actual pkid in my case starts with F96B). p2 is the
> actual route
> pattern (421XXXX in my case). Between these two you should be able
> to identify the correct route pattern.
>
> The search string you'll want to use is "updateRoutePattern".
>
> So to put it all together, run the following command from a cmd
> prompt to get all the route pattern udpates from today.
> findstr updateRoutePattern c:\winnt\system32\logfiles\w3svc1
> \ex060731.log > routepatternupdates.txt
>
> This will dump all the updates into the current directory. From
> there just take a look and see what you have.
>
> -Ryan
>
> On Jul 31, 2006, at 11:45 AM, Robert Kulagowski wrote:
>
> Wes Sisk wrote:
>
> It turns out that in this case it wasn't a delete; it was an
> update that
> should have been a copy.
>
> I haven't had the cycles to investigate, so I'll have to
> check if there
> would have been sufficient details in the IIS logs to determine what
> happened.
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
| |
| Simon, Bill 2006-07-31, 1:11 pm |
| Thanks. I saw this link go by earlier but ignored it thinking it was
something different. Looks like a good product. Do you use it? What do
you think?
> -----Original Message-----
> From: J. Oquendo [mailto:sil@infiltrated.net]
> Sent: Monday, July 31, 2006 1:35 PM
> To: Simon, Bill
> Subject: Re: [cisco-voip] MLA command history?
>
> http://www.cisco.com/en/US/products...ucts_data_sheet
> 0900aecd80313abd.html
>
> Simon, Bill wrote:
> tells it in plain
> I did an
> 14.48.39.100 443 GET /
> important
> the server
> does not have
> p0 is the
> should be able
> products_administration_guide_chapter091
86a00803eda81.html#wp1025731
> determine what
>
>
> --
> ========================================
============
> J. Oquendo
> http://pgp.mit.edu:11371/pks/lookup...arch=0x1383A743
> GPG Key ID 0x1383A743
> Fingerprint:
> 7B02 28CF 24D3 ACA7 9907 789A 8772 7736 1383 A743
>
> sil . infiltrated @ net
> http://www.infiltrated.net
>
>
> The happiness of society is the end of government.
> John Adams
>
|
|
|
|
|