About Change Logs
The change log continuously captures configuration changes as they are made in Cisco Defense Orchestrator (Defense Orchestrator). This single view includes changes across devices and services for ASA, ASA FirePOWER, Firepower Threat Defense (FTD), and Umbrella. The benefits of the change log include:
- Side-by-side comparison of changes made to an ASA or FTD device's configuration
- Plain-English labels for all change log entries.
- Records onboarding and removal of devices.
- Detection of policy change conflicts occurring outside of Defense Orchestrator.
- Answers who, what, and when during an incident investigation or troubleshooting.
- The full change log, or only a portion, can be downloaded as a CSV file by clicking the Export button.
Change Log Capacity
Change logs can contain a maximum of 1GB of information. If the size of your change log exceeds the 1GB limit, Defense Orchestrator will delete the oldest entires in the change log in order to continue writing the latest entries to the change log.
If you want to maintain more that 1GB of change log information, you can export the change log to a CSV file. We recommend exporting change log information monthly.
Change Log Entries
A change log entry reflects changes to a single device configuration, an action performed on a device, or if a change was made to the device outside of Defense Orchestrator.
- For change log entries that contain a change to configuration, you can expand the change by clicking anywhere in the row.
- Defense Orchestrator closes a change log entry after the device's configuration on the Defense Orchestrator is synced with the configuration on the device or when a device is removed from Defense Orchestrator. Configurations are in sync after "reading" the configuration from the device to the Defense Orchestrator or by "writing" the configuration from Defense Orchestrator to the device.
- Defense Orchestrator creates a new change log entry immediately after closing an existing entry. Additional configuration changes are added to the open change log entry.
- Events are displayed for read, write, and delete actions against a device. These actions close the change log.
- A changelog is closed once CDO is insync with the configuration on the device (either by reading or writing), or when CDO no longer manages the device
- If a change is made to the device outside of Defense Orchestrator, a "conflict detected" entry is written to the change log.
ASA Change Log Specifics
See these articles for explanations of ASA change log entries:
FTD Change Log Specifics
See these articles for explanations of FTD change log entries:
Active and Completed Change Log Entries
Change logs have a status of either active or completed. As you make changes to a device's configuration using Defense Orchestrator, those changes are recorded in an active change log entry. Reading a configuration from a device to Defense Orchestrator, writing changes from Defense Orchestrator to a device, deleting a device from Defense Orchestrator completes, or running a CLI command that updates the running configuration file completes the active change log and creates a new one for future changes.
The following image is of an active change log entry in an ASA. Note the open circle next to the timestamp at left.
Finding Entries in the Change Log
Change log events are searchable and filterable. Use the search bar to find events that match your keywords. Use the filter to find the entries that meet all the criteria you specify. You can also combine the operations by filtering the change log and adding a keyword to the search field to find an entry within the filtered results.