how to log SIP messages to a syslog server?

Unanswered Question
Feb 10th, 2009


i would like to log SIP massages to our syslog server, as of now our syslog server does not see the SIP logging, we get the normal screen logging, as if there was no SIP involved in the call.

Is there a way that i may add more information to the syslog massages so it is aware of the SIP calls?

as like the debug ccsip all, for example but i would like the outpot to ge to my syslog server.

any ideas in the matter would be appriciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nicholas Matthews Tue, 02/10/2009 - 13:59

Hi R.,

You will want to use these commands for enabling syslogging:

Router(config)#no logging console

Router(config)#no logging monitor

Router(config)#service timestamps log datetime msec local

Router(config)#service sequence


Router(config)#logging trap debug

Be careful about 'debug ccsip all' - it is very verbose and can cause high CPU depending on your call rate. Generally, just running 'debug ccsip messages' is sufficient unless you have a very specific SIP problem you are monitoring.

hope this helps.

-nick Tue, 02/10/2009 - 14:46

Hey Nick,

Thanks for the reply, unfortunately i have my router configured this yet i am unable to see any SIP massages in the syslog, have a look:

2009-02-10 12:43:49 Local7.Info 605903: 455972: Feb 10 20:43:46.272: %IVR-6-APP_INFO: Call ANI: 8187 Call DNIS: 866 Call Destination: 0119723Tue Feb 10 12:43:46 PST 2009

2009-02-10 12:44:00 Local7.Info 605945: 456002: Feb 10 20:43:57.644: %CALLTRKR-6-CALL_RECORD: ct_hndl=307423, service=None, origin=Originate, category=Modem, DS0 slot/port/ds1/chan=6/0/0/21, called=011972, calling=8187, resource slot/port=(n/a)/(n/a), userid=(n/a), ip=, account id=(n/a), setup=02/10/2009 12:43:18, conn=0.00, phys=0.00, service=0.00, authen=0.00, init-rx/tx b-rate=0/0, rx/tx chars=0/0, time=23.17, disc subsys=ISDN, disc code=0x10, disc text=Normal call clearing

2009-02-10 12:47:53 Local7.Info 606448: 456384: Feb 10 20:47:49.419: %IVR-6-APP_INFO: Call ANI: 9722 Call DNIS: 86666 Call Destination: 0119 Tue Feb 10 12:47:49 PST 2009

2009-02-10 12:47:58 Local7.Info 606470: 456401: Feb 10 20:47:55.011: %CALLTRKR-6-CALL_RECORD: ct_hndl=307670, service=None, origin=Originate, category=Modem, DS0 slot/port/ds1/chan=7/4/4/21, called=011972, calling=972, resource slot/port=(n/a)/(n/a), userid=(n/a), ip=, account id=(n/a), setup=02/10/2009 12:47:18, conn=25.29, phys=0.00, service=0.00, authen=0.00, init-rx/tx b-rate=0/0, rx/tx chars=0/0, time=26.60, disc subsys=ISDN, disc code=0x10, disc text=Normal call clearing

let me know if you have any more ideas, for the record the device is a AS5400.


Jonathan Tue, 02/10/2009 - 15:50

Hey Nick,

I have found part of the solution, since these is a VoIP communication (as i would like to see the SIP) i needed to trun on the gw-accounting syslog command.

who would have thought of that.

but know i am able to see my voip syslog massages check it out:

74006: Feb 10 23:30:29.733: %VOIPAAA-5-VOIP_CALL_HISTORY: CallLegType 1, ConnectionId 912EBB42 F70111DD A4319636 4AC87078, SetupTime 15:30:16.203 PST Tue Feb 10 2009, PeerAddress 011972, PeerSubAddress , DisconnectCause 10 , DisconnectText normal call clearing (16), ConnectTime 15:30:29.733 PST Tue Feb 10 2009, DisconnectTime 15:30:29.733 PST Tue Feb 10 2009, CallOrigin 1, ChargedUnits 0, InfoType 2, TransmitPackets 551, TransmitBytes 86729, ReceivePackets 51, ReceiveBytes 8001

here is what i got for the show:

wtild1#sh run | i log

service timestamps log datetime msec

logging buffered 20000 debugging

no logging rate-limit

no logging monitor

aaa authentication login h323_3 group npts

aaa authentication login h323 group wti

aaa authentication login h323_4 group usis

aaa authentication login h323_2 group cti

aaa authentication login h323_5 group intera

aaa authentication login h323_6 group ikn

aaa authentication login h323_7 group bill

gw-accounting syslog

logging history debugging

logging trap debugging

logging 10.10.1.

logging 10.10.1.

logging synchronous

there is nothing under the show debug.

are there any more command you may think of that i may turn on to have some more logging information?

as we use a few SIP servers, i would like to know which one was used for which call for example.

Once again, you help is well appreciated.


Nicholas Matthews Tue, 02/10/2009 - 16:54

Hi J,

It looks like now you just need to turn the debugging on.

'debug ccsip messages'

You may want to think about adding an EEM script to add this debug in when the router reloads, because they are not added back when it reloads:

event manager applet ADD-DEBUGS

event syslog pattern "SYS-5-RESTART"

action 01.0 syslog msg "Adding Debugs"

action 02.0 cli command "enable"

action 03.0 cli command "debug ccsip messages"

This will make sure your SIP debugging is persistent.

Hope this helps.

-nick Tue, 02/10/2009 - 17:03


Very nice there nick i would have never though about that, may you tell me how do i add this script (as in the command perhaps).

to be honest i have never heard of that, personally i am a r/s and firewall guy, but in this case i am tasked with this mission.

also is there any way to show the (ConnectionId 912EBB42 F70111DD A4319636 4AC87078) from the log in the PSTN calls?

as i would like to associate the call legs together (PSTN & Voip) in the syslog server.

would make sense......

thank you.

Jonathan Tue, 02/10/2009 - 17:12

helo on there boss, i think got you wrong i my ios dont support that one, check it out:


% Unrecognized command



% Invalid input detected at '^' marker.


% Unrecognized command



old ios i know i know.


Nicholas Matthews Tue, 02/10/2009 - 17:48

Hi Johnathan,

It looks like it's not a supported feature on your IOS. I believe you'll need 12.3T or 12.4 mainline to run these commands.

You can use the IOS feature navigator to find out if Embedded Event Manager (EEM) is something in your IOS version you would like to go to.

If you don't reload or power down your gateways very often, this isn't that big of a deal. You can just 'debug ccsip messages' when you know you're going to reload.

And about the tracking - generally you track it based on the calling/called numbers. It's easy to find these in the SIP messaging against the PSTN leg if you need to.


nick Tue, 02/10/2009 - 17:51

hey N.

we are actually in the process off upgrading the ios, which will solve many problems.

how about that connection ID? is there any way to associate the voip and pstn syslog massages?

tag all call legs with a common id (connection id).



Nicholas Matthews Tue, 02/10/2009 - 18:03

Hi Johnathan,

There isn't a clean and easy way to relate the call ID to the SIP debugs. You can run 'debug voip ccapi inout' and it will show you there.

SIP messages don't have the CCAPI call ID. You could run aaa accounting for the gateway, but you're going to get a larger version of the message you're already getting, and it won't help you correlate the SIP messages either.

Generally, if you need to investigate a call, the calling and called numbers are used.




This Discussion