i would like to log SIP massages to our syslog server, as of now our syslog server does not see the SIP logging, we get the normal screen logging, as if there was no SIP involved in the call.
Is there a way that i may add more information to the syslog massages so it is aware of the SIP calls?
as like the debug ccsip all, for example but i would like the outpot to ge to my syslog server.
any ideas in the matter would be appriciated.
You will want to use these commands for enabling syslogging:
Router(config)#no logging console
Router(config)#no logging monitor
Router(config)#service timestamps log datetime msec local
Router(config)#logging trap debug
Be careful about 'debug ccsip all' - it is very verbose and can cause high CPU depending on your call rate. Generally, just running 'debug ccsip messages' is sufficient unless you have a very specific SIP problem you are monitoring.
hope this helps.
Thanks for the reply, unfortunately i have my router configured this yet i am unable to see any SIP massages in the syslog, have a look:
2009-02-10 12:43:49 Local7.Info 10.10.1.100 605903: 455972: Feb 10 20:43:46.272: %IVR-6-APP_INFO: Call ANI: 8187 Call DNIS: 866 Call Destination: 0119723Tue Feb 10 12:43:46 PST 2009
2009-02-10 12:44:00 Local7.Info 10.10.1.100 605945: 456002: Feb 10 20:43:57.644: %CALLTRKR-6-CALL_RECORD: ct_hndl=307423, service=None, origin=Originate, category=Modem, DS0 slot/port/ds1/chan=6/0/0/21, called=011972, calling=8187, resource slot/port=(n/a)/(n/a), userid=(n/a), ip=0.0.0.0, account id=(n/a), setup=02/10/2009 12:43:18, conn=0.00, phys=0.00, service=0.00, authen=0.00, init-rx/tx b-rate=0/0, rx/tx chars=0/0, time=23.17, disc subsys=ISDN, disc code=0x10, disc text=Normal call clearing
2009-02-10 12:47:53 Local7.Info 10.10.1.100 606448: 456384: Feb 10 20:47:49.419: %IVR-6-APP_INFO: Call ANI: 9722 Call DNIS: 86666 Call Destination: 0119 Tue Feb 10 12:47:49 PST 2009
2009-02-10 12:47:58 Local7.Info 10.10.1.100 606470: 456401: Feb 10 20:47:55.011: %CALLTRKR-6-CALL_RECORD: ct_hndl=307670, service=None, origin=Originate, category=Modem, DS0 slot/port/ds1/chan=7/4/4/21, called=011972, calling=972, resource slot/port=(n/a)/(n/a), userid=(n/a), ip=0.0.0.0, account id=(n/a), setup=02/10/2009 12:47:18, conn=25.29, phys=0.00, service=0.00, authen=0.00, init-rx/tx b-rate=0/0, rx/tx chars=0/0, time=26.60, disc subsys=ISDN, disc code=0x10, disc text=Normal call clearing
let me know if you have any more ideas, for the record the device is a AS5400.
I have found part of the solution, since these is a VoIP communication (as i would like to see the SIP) i needed to trun on the gw-accounting syslog command.
who would have thought of that.
but know i am able to see my voip syslog massages check it out:
74006: Feb 10 23:30:29.733: %VOIPAAA-5-VOIP_CALL_HISTORY: CallLegType 1, ConnectionId 912EBB42 F70111DD A4319636 4AC87078, SetupTime 15:30:16.203 PST Tue Feb 10 2009, PeerAddress 011972, PeerSubAddress , DisconnectCause 10 , DisconnectText normal call clearing (16), ConnectTime 15:30:29.733 PST Tue Feb 10 2009, DisconnectTime 15:30:29.733 PST Tue Feb 10 2009, CallOrigin 1, ChargedUnits 0, InfoType 2, TransmitPackets 551, TransmitBytes 86729, ReceivePackets 51, ReceiveBytes 8001
here is what i got for the show:
wtild1#sh run | i log
service timestamps log datetime msec
logging buffered 20000 debugging
no logging rate-limit
no logging monitor
aaa authentication login h323_3 group npts
aaa authentication login h323 group wti
aaa authentication login h323_4 group usis
aaa authentication login h323_2 group cti
aaa authentication login h323_5 group intera
aaa authentication login h323_6 group ikn
aaa authentication login h323_7 group bill
logging history debugging
logging trap debugging
there is nothing under the show debug.
are there any more command you may think of that i may turn on to have some more logging information?
as we use a few SIP servers, i would like to know which one was used for which call for example.
Once again, you help is well appreciated.
It looks like now you just need to turn the debugging on.
'debug ccsip messages'
You may want to think about adding an EEM script to add this debug in when the router reloads, because they are not added back when it reloads:
event manager applet ADD-DEBUGS
event syslog pattern "SYS-5-RESTART"
action 01.0 syslog msg "Adding Debugs"
action 02.0 cli command "enable"
action 03.0 cli command "debug ccsip messages"
This will make sure your SIP debugging is persistent.
Hope this helps.
Very nice there nick i would have never though about that, may you tell me how do i add this script (as in the command perhaps).
to be honest i have never heard of that, personally i am a r/s and firewall guy, but in this case i am tasked with this mission.
also is there any way to show the (ConnectionId 912EBB42 F70111DD A4319636 4AC87078) from the log in the PSTN calls?
as i would like to associate the call legs together (PSTN & Voip) in the syslog server.
would make sense......
helo on there boss, i think got you wrong i my ios dont support that one, check it out:
% Unrecognized command
% Invalid input detected at '^' marker.
% Unrecognized command
old ios i know i know.
It looks like it's not a supported feature on your IOS. I believe you'll need 12.3T or 12.4 mainline to run these commands.
You can use the IOS feature navigator to find out if Embedded Event Manager (EEM) is something in your IOS version you would like to go to.
If you don't reload or power down your gateways very often, this isn't that big of a deal. You can just 'debug ccsip messages' when you know you're going to reload.
And about the tracking - generally you track it based on the calling/called numbers. It's easy to find these in the SIP messaging against the PSTN leg if you need to.
we are actually in the process off upgrading the ios, which will solve many problems.
how about that connection ID? is there any way to associate the voip and pstn syslog massages?
tag all call legs with a common id (connection id).
There isn't a clean and easy way to relate the call ID to the SIP debugs. You can run 'debug voip ccapi inout' and it will show you there.
SIP messages don't have the CCAPI call ID. You could run aaa accounting for the gateway, but you're going to get a larger version of the message you're already getting, and it won't help you correlate the SIP messages either.
Generally, if you need to investigate a call, the calling and called numbers are used.