Cisco CDR Reporting & Analytics | Installation Notes
While the CDR data has a lot of goodness and magic in it (disregarding it’s obtuseness and terseness), it doesn’t tell you things like when phones disconnect or deregister.
Lucky for us, that information can be gotten out of CallManager using syslog.
Please think of the following as more of a general guideline for getting this data out of CM and into Splunk. It’s not perfect, it’s not complete, but it is a good start and should help you get your feet wet.
Also, if you set this up and would like some help digging around in the resulting data and determining what it’s worth, then by all means shoot us an email – we’d be happy to help flesh this out more for you!
A new index needs to be created on your indexing tier. If you are standalone, you can do it through the UI under Settings, Indexes. For now, call it cucm_syslog.
Next, from inside the Cisco CDR app, click “Settings” in the top right, then “Advanced Search” then “Search Macros”. On the following page find the macro “custom_syslog_index” and change it accordingly. As of this writing this will only affect one panel on the Device Detail page but over time more areas will leverage this data.
Our first big task is to have syslog installed and available. This is very likely only going to be a concern if you run a single, standalone Splunk+Cisco CDR instance. If you have a bigger Splunk install than just our Cisco CDR Reporting and Analytics app, then you are likely ingesting syslog somewhere already. If you have a Splunk “Team,” then I’m *sure* you have syslog somewhere. Ask them about it after bringing them brownies or cake.
If you do not already have a syslog server, you will have to build one. This is a task far outside our bailiwick, but we can at least give you a few nudges in the right direction.
There are lots of places to go for help with this. Use the Search, Luke!
Depending on your needs, you’ll want either only one of the below two sections.
Assuming you did syslog-ng on a Linux VM, you will need to configure the syslog-ng instance to listen on the network and to create new directories for each new host it sees. To do this, you’ll want to edit syslog-ng’s configuration (locations vary, use your OS’es documentation on where it hides syslog configuration files), and add something like the below near the top of the file.
source s_network_udp { udp( port(514)); };
source s_network_tcp { syslog( port(514) transport("tcp")); };
destination d_syslogs { file ("/var/log/remote/${HOST}/log.txt"); };
log {source(s_network_udp); source(s_network_tcp); destination(d_syslogs); };
That would make directories for each host (either name or IP, depending on if it resolves) like ‘/var/log/remote/192.168.0.1/log.txt’. Restart syslog-ng after making those changes.
Note that this is a really simple, basic config. While it should work, we make no guarantees it’s appropriate for your environment. If you have problems with it, there are lots of forums and help documents available, but let us know what you find out!
After installing Kiwi Syslog Server, the only thing you’ll likely need to do is move the log file location.
Note that these are the minimum changes to get a working Kiwi Syslog Server installation working well enough for our needs. There may be other configurations you need to do for your own environment.
Here’s where there are choices to make on what you want to collect. This example is going to collect all the CallManager service information, which includes device registration/deregistration, resource allocation failures, and lots more. There are other options scattered all over the CUCM installation – finding them and interpreting them is an exercise left to the reader (although, down below there’s at least one more location mentioned).
You might want to also check the other services available – I’d suggest enabling only one at a time and carefully checking the license amounts they seem to take. If you have suggestions, please send them to us!
Now that we have this dumping data to syslog, let it run for an hour or two, then check the filesize of the created log.txt file and do a little math.
What you need to check is only that this amount of data isn’t likely to take you over the license. The file size isn’t exactly going to be the size ingested in Splunk, but it’s usually close enough to give you an idea if this is a good idea or not.
Also note that Splunk Enterprise lets you go over your allocated data amount up to 5 times in a rolling 30-day window (up to 3 times if you’re on a Trial Splunk license), so even if you “blow up your license” for a day, it’s not the end of the world. Perhaps ingesting one afternoon’s worth of data into Splunk would be useful just to see what answers you can really get out of it?
A warning though that if you have a “no enforcement” license, then “going over” isn’t really a concept; but if you consistently do it, at some point, Splunk will make you pay for that extra license.
If it’s not there already, install the UF on the syslog machine, and in the Splunk configuration tell it to read the files in a ‘local’ input.conf file:
However if you are using kiwi syslog, then do not set sourcetype to “syslog”. Instead set sourcetype to “cucm-kiwi-syslog”
[monitor:///var/log/remote/192.168.0.*/log.txt]
host_segment = 4
# NOTE: if you are using kiwi syslog, then uncomment the following line and comment out the sourcetype=syslog line.
#sourcetype = cucm_kiwi_syslog
sourcetype = syslog
index = cucm_syslog0
Obviously, that’s just a sample – you need to fix it up to your path!
After that, as long as your UF’s outputs are set right, you’ll have data coming in.
If you followed along and used the same Alarm settings as we outline above, you’ll get a variety of messages. Here are a few samples to gaze upon – take in their beauty!
%UC_CALLMANAGER-6-DeviceUnregistered:%[Device
name=CiscoUM1-VI3][Device IP address=10.10.20.18][Protocol=SCCP][Device
type=80][Device description=VM][Reason
Code=9][IPAddressAttributes=3][App ID=Cisco CallManager][Cluster
ID=LocalCluster][Node ID=hq-cucm-pub.abc.inc]: Device unregistered
%UC_CALLMANAGER-6-DeviceRegistered: %[Device
name=CiscoUM1-VI3][Device IP address=10.10.20.18][Protocol=SCCP][Device
type=80][Performance monitor object=2][Device description=VM][Associated
directory numbers=7003][IPAddressAttributes=3][App ID=Cisco
CallManager][Cluster ID=LocalCluster][Node ID=hq-cucm-pub.abc.inc]:
Device registered
%UC_CALLMANAGER-4-DeviceTransientConnection: %[Connecting
Port=50538][Device name=][Device IP Address=10.10.20.18][Device
type=255][Reason Code=6][Protocol=SCCP][IPAddressAttributes=0][App
ID=Cisco CallManager][Cluster ID=LocalCluster][Node
ID=hq-cucm-pub.abc.inc]: A device attempted to register but did not
complete registration
We have some “behind the scenes” extractions for those that you could apply (Contact us – we’ll probably make them more public soon, but for now we’d be happy to provide them to you!), but for just fiddling around and trying to find out what sort of useful information you can get, you could start with a search that does a bit of delimiter based extraction…
index="cucm_syslog" | extract pairdelim="[]" kvdelim="=" auto=f
If you run that search, a lot of useful fields should pop up on the left. Cluster_ID, Node_ID, Device_IP_Address, etc… From there, dig around like any other Splunk data!
Cisco has a variety of places that syslog output can be enabled. We talk about a few of the locations and services that they provide syslog ability for, but there’s also Cisco Unified CM Administration, System, Enterprise Parameters, and the section Cisco Syslog Agent, which gets system information too – both OS and hardware information and alarms.
Frankly, we’re not even SURE what all is available or how you might use it. The sky really is the limit, we think, but we aren’t *nearly* as hip to what’s in CUCM as you probably are, so tell us your ideas!
And, that concludes our wonderful foray into the wide world of Syslogging from CallManager.
If you have any comments at all about the documentation, please send them to docs@sideviewapps.com.