About Change Logs
The change log continuously captures configuration changes as they are made in Cisco Defense Orchestrator (CDO). This single view includes changes across all supported devices and services. These are some of the features of the change log:
- Side-by-side comparison of changes made to device configuration
- Plain-English labels for all change log entries.
- Records on-boarding and removal of devices.
- Detection of policy change conflicts occurring outside of CDO.
- Answers who, what, and when during an incident investigation or troubleshooting.
- The full change log, or only a portion, can be downloaded as a CSV file.
Change Log Capacity
Change logs contain a maximum of 1GB of information. If the size of your change log exceeds the 1GB limit, CDO deletes the oldest entires in the change log in order to continue writing the latest entries to the change log.
There is a difference between change log information CDO stores in its database and what you see when you export a change log. See Exporting the Change Log to a CSV File for more information.
Change Log Entries on the Change Log Page
A change log entry reflects changes to a single device configuration, an action performed on a device, or if a change was made to the device outside of CDO.
- For change log entries that contain a change to configuration, you can expand the change by clicking anywhere in the row.
- For out-of-band changes made outside of CDO that are detected as a conflict, System User is reported as the Last User.
- CDO closes a change log entry after the device's configuration on CDO is synced with the configuration on the device or when a device is removed from CDO. Configurations are in sync after "reading" the configuration from the device to CDO or by deploying the configuration from CDO to the device.
- CDO creates a new change log entry immediately after closing an existing entry. Additional configuration changes are added to the open change log entry.
- Events are displayed for read, deploy, and delete actions against a device. These actions close a device's change log.
- A change log is closed once CDO is in sync with the configuration on the device (either by reading or deploying), or when CDO no longer manages the device
- If a change is made to the device outside of CDO, a "conflict detected" entry is written to the change log.
Active and Completed Change Log Entries
Change logs have a status of either active or completed. As you make changes to a device's configuration using CDO, those changes are recorded in an active change log entry. Reading a configuration from a device to CDO, deploying changes from CDO to a device, deleting a device from CDO completes, or running a CLI command that updates the running configuration file completes the active change log and creates a new one for future changes.
The following image is of an active change log entry in an ASA. Note the open circle next to the timestamp at left.
Finding Entries in the Change Log
Change log events are searchable and filterable. Use the search bar to find events that match your keywords. Use the filter to find the entries that meet all the criteria you specify. You can also combine the operations by filtering the change log and adding a keyword to the search field to find an entry within the filtered results.