Configure CUCM to output Syslog
Here’s where there are choices to make on what you want to collect. This example is going to collect all the CallManager service information, which includes device registration/deregistration, resource allocation failures, and lots more. There are other options scattered all over the CUCM installation – finding them and interpreting them is an exercise left to the reader (although, down below there’s at least one more location mentioned).
- Open Cisco Unified Serviceability.
- Click Alarm, Configuration.
- Select your CUCM Voice/Video server and click Go.
- Select the Service Group CM Services and click Go.
- Select Service Cisco CallManager (Active) and click Go.
- You may or may not need to click the “Apply to all nodes”, depending on your Voice infrastructure.
- Under the section, Remote Syslogs:
- Click in the checkbox to Enable Alarm.
- Enter the IP Address of your Syslog system in the first available Server Name # spot.
- Change the Alarm Event Level to Informational.
- Do NOT click the checkbox Exclude End Point Alarms.
- Click Save.
You might want to also check the other services available – I’d suggest enabling only one at a time and carefully checking the license amounts they seem to take. If you have suggestions, please send them to us!
Check Splunk license amounts
Now that we have this dumping data to syslog, let it run for an hour or two, then check the filesize of the created log.txt file and do a little math.
What you need to check is only that this amount of data isn’t likely to take you over the license. The file size isn’t exactly going to be the size ingested in Splunk, but it’s usually close enough to give you an idea if this is a good idea or not.
Also note that Splunk Enterprise lets you go over your allocated data amount up to 5 times in a rolling 30-day window (up to 3 times if you’re on a Trial Splunk license), so even if you “blow up your license” for a day, it’s not the end of the world. Perhaps ingesting one afternoon’s worth of data into Splunk would be useful just to see what answers you can really get out of it?
A warning though that if you have a “no enforcement” license, then “going over” isn’t really a concept; but if you consistently do it, at some point, Splunk will make you pay for that extra license.