I was able to set up by CUCM 11.0 to have audit log details written out via syslog just by going to
Cisco Unified Serviceability -> Tools -> Audit Log Configuration.
and entering in the Server Name for Remote Syslog under the Application Audit log Settings section.
Here is a sample syslog message that I get when I deleted a phone from a CUCM in my lab.
<189>8103: Oct 14 2015 05:50:19 AM.484 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.110.1.2][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID=CUCM11PUB]: Audit Event is generated by this application
However, when I did this on an early version of CUCM say 10.5, I get nothing via syslog.
Does anyone knows if this is a feature only in 11.0?
Or there is some other settings prior to 11.0 before this will work?
Anyone has any idea?
I want to develop a collector for audit events via syslog instead of getting files of the server.
This is a known defect of 10.5.2 (and earlier, I think). The defect is CDETS CSCus02985.
The latest information I have is that it should be fixed in the next service release available sometime this month. I assume that would be 10.5.2 SU2.
Thanks so much Nicholas. This is great to know. I have some old CUCM clusters running 9.1 and 8.6 as well, do you know if there are plans to fix those? I have finding similar issues with those.
According to the CDETS information, the defect does exist all the way back to 8.0, but they're only fixing it in 10.5.2 and 11.0 and 11.5 (and future versions). I've already received word that the engineers are not creating any engineering specials with the fix for previous versions, so I'm afraid it looks like it's only 10.5.2 and forward. I don't know why it wouldn't be fixed in 9.1, but 8.6 has already passed the end-of-life date for engineering fixes.
Thank you very much for the information again. This is really helpful.