cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7594
Views
5
Helpful
12
Replies

how to log SIP messages to a syslog server?

hirasta
Level 1
Level 1

hello,

i would like to log SIP massages to our syslog server, as of now our syslog server does not see the SIP logging, we get the normal screen logging, as if there was no SIP involved in the call.

Is there a way that i may add more information to the syslog massages so it is aware of the SIP calls?

as like the debug ccsip all, for example but i would like the outpot to ge to my syslog server.

any ideas in the matter would be appriciated.

Thanks,

R.

12 Replies 12

Hi R.,

You will want to use these commands for enabling syslogging:

Router(config)#no logging console

Router(config)#no logging monitor

Router(config)#service timestamps log datetime msec local

Router(config)#service sequence

Router(config)#logging

Router(config)#logging trap debug

Be careful about 'debug ccsip all' - it is very verbose and can cause high CPU depending on your call rate. Generally, just running 'debug ccsip messages' is sufficient unless you have a very specific SIP problem you are monitoring.

hope this helps.

-nick

Hey Nick,

Thanks for the reply, unfortunately i have my router configured this yet i am unable to see any SIP massages in the syslog, have a look:

2009-02-10 12:43:49 Local7.Info 10.10.1.100 605903: 455972: Feb 10 20:43:46.272: %IVR-6-APP_INFO: Call ANI: 8187 Call DNIS: 866 Call Destination: 0119723Tue Feb 10 12:43:46 PST 2009

2009-02-10 12:44:00 Local7.Info 10.10.1.100 605945: 456002: Feb 10 20:43:57.644: %CALLTRKR-6-CALL_RECORD: ct_hndl=307423, service=None, origin=Originate, category=Modem, DS0 slot/port/ds1/chan=6/0/0/21, called=011972, calling=8187, resource slot/port=(n/a)/(n/a), userid=(n/a), ip=0.0.0.0, account id=(n/a), setup=02/10/2009 12:43:18, conn=0.00, phys=0.00, service=0.00, authen=0.00, init-rx/tx b-rate=0/0, rx/tx chars=0/0, time=23.17, disc subsys=ISDN, disc code=0x10, disc text=Normal call clearing

2009-02-10 12:47:53 Local7.Info 10.10.1.100 606448: 456384: Feb 10 20:47:49.419: %IVR-6-APP_INFO: Call ANI: 9722 Call DNIS: 86666 Call Destination: 0119 Tue Feb 10 12:47:49 PST 2009

2009-02-10 12:47:58 Local7.Info 10.10.1.100 606470: 456401: Feb 10 20:47:55.011: %CALLTRKR-6-CALL_RECORD: ct_hndl=307670, service=None, origin=Originate, category=Modem, DS0 slot/port/ds1/chan=7/4/4/21, called=011972, calling=972, resource slot/port=(n/a)/(n/a), userid=(n/a), ip=0.0.0.0, account id=(n/a), setup=02/10/2009 12:47:18, conn=25.29, phys=0.00, service=0.00, authen=0.00, init-rx/tx b-rate=0/0, rx/tx chars=0/0, time=26.60, disc subsys=ISDN, disc code=0x10, disc text=Normal call clearing

let me know if you have any more ideas, for the record the device is a AS5400.

Thanks,

Jonathan

Can you send 'show run | i log' and 'show debug'?

Hey Nick,

I have found part of the solution, since these is a VoIP communication (as i would like to see the SIP) i needed to trun on the gw-accounting syslog command.

who would have thought of that.

but know i am able to see my voip syslog massages check it out:

74006: Feb 10 23:30:29.733: %VOIPAAA-5-VOIP_CALL_HISTORY: CallLegType 1, ConnectionId 912EBB42 F70111DD A4319636 4AC87078, SetupTime 15:30:16.203 PST Tue Feb 10 2009, PeerAddress 011972, PeerSubAddress , DisconnectCause 10 , DisconnectText normal call clearing (16), ConnectTime 15:30:29.733 PST Tue Feb 10 2009, DisconnectTime 15:30:29.733 PST Tue Feb 10 2009, CallOrigin 1, ChargedUnits 0, InfoType 2, TransmitPackets 551, TransmitBytes 86729, ReceivePackets 51, ReceiveBytes 8001

here is what i got for the show:

wtild1#sh run | i log

service timestamps log datetime msec

logging buffered 20000 debugging

no logging rate-limit

no logging monitor

aaa authentication login h323_3 group npts

aaa authentication login h323 group wti

aaa authentication login h323_4 group usis

aaa authentication login h323_2 group cti

aaa authentication login h323_5 group intera

aaa authentication login h323_6 group ikn

aaa authentication login h323_7 group bill

gw-accounting syslog

logging history debugging

logging trap debugging

logging 10.10.1.

logging 10.10.1.

logging synchronous

there is nothing under the show debug.

are there any more command you may think of that i may turn on to have some more logging information?

as we use a few SIP servers, i would like to know which one was used for which call for example.

Once again, you help is well appreciated.

J.

Hi J,

It looks like now you just need to turn the debugging on.

'debug ccsip messages'

You may want to think about adding an EEM script to add this debug in when the router reloads, because they are not added back when it reloads:

event manager applet ADD-DEBUGS

event syslog pattern "SYS-5-RESTART"

action 01.0 syslog msg "Adding Debugs"

action 02.0 cli command "enable"

action 03.0 cli command "debug ccsip messages"

This will make sure your SIP debugging is persistent.

Hope this helps.

-nick

Hello,

Very nice there nick i would have never though about that, may you tell me how do i add this script (as in the command perhaps).

to be honest i have never heard of that, personally i am a r/s and firewall guy, but in this case i am tasked with this mission.

also is there any way to show the (ConnectionId 912EBB42 F70111DD A4319636 4AC87078) from the log in the PSTN calls?

as i would like to associate the call legs together (PSTN & Voip) in the syslog server.

would make sense......

thank you.

Jonathan

helo on there boss, i think got you wrong i my ios dont support that one, check it out:

w1(config)#ev?

% Unrecognized command

w1(config)#ev

^

% Invalid input detected at '^' marker.

w1(config)#act?

% Unrecognized command

w1(config)#act

???

old ios i know i know.

J.

Hi Johnathan,

It looks like it's not a supported feature on your IOS. I believe you'll need 12.3T or 12.4 mainline to run these commands.

You can use the IOS feature navigator to find out if Embedded Event Manager (EEM) is something in your IOS version you would like to go to.

If you don't reload or power down your gateways very often, this isn't that big of a deal. You can just 'debug ccsip messages' when you know you're going to reload.

And about the tracking - generally you track it based on the calling/called numbers. It's easy to find these in the SIP messaging against the PSTN leg if you need to.

hth,

nick

hey N.

we are actually in the process off upgrading the ios, which will solve many problems.

how about that connection ID? is there any way to associate the voip and pstn syslog massages?

tag all call legs with a common id (connection id).

Regards,

J.

Hi Johnathan,

There isn't a clean and easy way to relate the call ID to the SIP debugs. You can run 'debug voip ccapi inout' and it will show you there.

SIP messages don't have the CCAPI call ID. You could run aaa accounting for the gateway, but you're going to get a larger version of the message you're already getting, and it won't help you correlate the SIP messages either.

Generally, if you need to investigate a call, the calling and called numbers are used.

hth,

nick

Hey Nick,

Thanks for all the help, well appreciated.

J.

matthias.meier1
Level 1
Level 1

Hi @hirasta @Nicholas Matthews 

i have the same issue. I can see some voip syslog logs in the Cisco Prime but no SIP messages. I did it liek described above but no sip messages :-(. Did that work for you @hirasta ?

Thanks!

Regards,

Matthias

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: