Cisco CDR Reporting & Analytics | Installation Notes
Note this setup is surprisingly unlike how the CDR is collected from CUCM. We apologize for Cisco’s inconsistency.
First upgrade the TA_cisco_cdr app on your forwarder(s) to the latest version .
Next upgrade to the latest version of the Cisco CDR and Canary apps if you haven’t already.
Next you will need to set up an FTP server. CUBE and vCUBE cannot use SSH or SFTP, so the SFTP server you may have set up already to collect Callmanager’s CDR can not be used for the CUBE data.
On your FTP server, create a user and a new folder that the user can write files to. For our example setup, we will be using server 10.0.0.100, and a user user with password splunk. As our prefix for filenames, we will use cube_.
Validation steps:
After this is set up, you should be able to confirm via a manual test that this user can upload a file to the configured directory. Remember to delete the test file(s) when you are done.
Log into the router with an account with administrative permissions. Then, run the below listed commands to set up gw-accounting to file, change the cdr-format to “detailed”, configure the FTP server information, and tell the system to flush new data to file once per minute. Note the bold italic portions are ones you’ll change.
Be sure to change your server information in step 5 as appropriate.
Note especially that this accepts many of the default settings for buffer sizes and the number of reattempts. We assume these will work in most moderately sized installations, but please check and confirm them for your own environment.
We will now create a new “batch” input for the CUBE CDR files, similar to the ones you created for CUCM CDR and CMR.
Important note: this input will be set up to delete the files from disk as they go into Splunk. If you need this to not happen, please see the notes at the end of this section.
All these steps happen in your FTP server’s Splunk Universal Forwarder’s configuration files:
1) Create the monitor input by adding this config to an inputs.conf file located at “$SPLUNK_HOME/etc/apps/TA_cisco_cdr/local/inputs.conf”. This file should exist already, but if it does not, you may need to create the folder “local” and the file itself. Make sure the user Splunk runs under has permissions to this file and folder.
If your Universal Forwarder is on Windows, the contents of your inputs.conf will look like this:
[batch://D:\path\to\files\file_accounting\cube_*] index = cisco_cdr sourcetype = cube_cdr move_policy = sinkhole
If your Universal Forwarder is on Linux or Unix, the input will look like this:
[batch:///path/to/files/file_accounting/cube_*] index = cisco_cdr sourcetype = cube_cdr move_policy = sinkhole
NOTE: It is critical that no mistakes be made here. Only the path (after “batch://”) and possibly the index need editing. All else should be left exactly as it is.
Make sure :
NOTE: As mentioned above, this is a sinkhole input, and it will delete each file as it indexes it. Any existing csv files that exist in this directory will be indexed and deleted almost immediately, and any new files written to here will be indexed and deleted as they arrive. If you have other intentions for these files besides putting them in Splunk, please contact us, and we can help you come up with another solution.
Contact us to set up a Webex! We can help confirm everything is working properly and help you start using this data.
If you have any comments at all about the documentation, please send them to docs@sideviewapps.com.
There are many ways to deploy, configure and update the Splunk Universal Forwarder. Here we cover a variety of the more advanced ways to handle updating the TA for Cisco CDR Reporting and Analytics.