Manage Change Logs in Security Cloud Control
A Change Log captures the configuration changes made in Security Cloud Control, providing a single view that includes changes in all the supported devices and services. These are some of the features of the change log:
-
Provides a side-by-side comparison of changes made to device configuration.
-
Provides labels for all change log entries.
-
Records onboarding and removal of devices.
-
Detects policy change conflicts occurring outside Security Cloud Control.
-
Provides answers about who, what, and when during an incident investigation or troubleshooting.
-
Enables downloading of the complete change log, or only a portion of it, as a CSV file.
Manage Change Log Capacity
Security Cloud Control retains the change log information for one year and deletes data older than a year.
There is a difference between the change log information stored in Security Cloud Control's database and what you see in an exported change log. See Export the Change Log for more information.
Change Log Entries
A change log entry reflects the changes to a single device configuration, an action performed on a device, or the change made to a device outside Security Cloud Control:
-
For change log entries that contain configuration changes, you can view details about the change by clicking anywhere in the corresponding row.
-
For out-of-band changes made outside Security Cloud Control and are detected as conflicts, the System User is reported as the Last User.
-
Security Cloud Control closes a change log entry after a device's configuration on Security Cloud Control is synced with the configuration on the device, or when a device is removed from Security Cloud Control. Configurations are considered to be in sync after they read the configuration from the device to Security Cloud Control or after deploying the configuration from Security Cloud Control to the device.
-
Security Cloud Control creates a new change log entry immediately after completing an existing entry, irrespective of whether the change was a success or failure. Additional configuration changes are added to the new change log entry that opens.
-
Events are displayed for read, deploy, and delete actions for a device. These actions close a device's change log.
-
A change log is closed after Security Cloud Control is in sync with the configuration on the device (either by reading or deploying), or when Security Cloud Control no longer manages the device.
-
If a change is made to the device outside of Security Cloud Control, a Conflict detected entry is included in the change log.
Pending and Completed Change Log Entries
Change logs have a status of either Pending or Completed. As you make changes to a device's configuration using Security Cloud Control, these changes are recorded in a Pending change log entry. The following activities complete a Pending change log, and after this a new change log is created for recording future changes.
-
Reading a configuration from a device to Security Cloud Control
-
Deploying changes from Security Cloud Control to a device
-
Deleting a device from Security Cloud Control
-
Running a CLI command that updates the running configuration file
The following image is a Pending change log entry in an ASA. This is denoted by the open circle next to the timestamp.
Search and Filter Change Log Entries
You can search and filter change log entries. Use the search field to find events. Use the filter () to find the entries that meet the criteria you specify. You can also combine the two tasks by filtering the change log and adding a keyword to the search field to find an entry within the filtered results.