Help with parsing VOIP CDR logs

reswob101 · ‎03-28-2016

I posted this question in the wrong forum last week. The situation is that I'm being sent VOIP CDR logs and I need to understand how to parse them.

First, I just want to apologize for jumping in this forum with this seemingly simple question, but so far I have not been able to google the answer.

For example, I'm getting logs such as these (from http://www.cisco.com/c/en/us/support/docs/voice/h323/14068-cdr-logging.html):

router#

!--- This output is for the forward call leg.

Jun 18 11:15:02.867: %VOIPAAA-5-VOIP_CALL_HISTORY: CallLegType 1, ConnectionId BA55719E
F8C10015 0 1B1E08, SetupTime 11:14:39.367 UTC Mon
Jun 18 2001, PeerAddress 68575, PeerSubAddress , DisconnectCause 10 , DisconnectText
normal call clearing., ConnectTime 11:14:49.707 UTC Mon
Jun 18 2001, DisconnectTime 11:15:02.867 UTC Mon Jun 18 2001, CallOrigin 2,
ChargedUnits 0, InfoType 2, TransmitPackets 1509, TransmitBytes 102600,
ReceivePackets 1510, ReceiveBytes 138920

router#

!--- This output is for the reverse call leg.

Jun 18 11:15:02.983: %VOIPAAA-5-VOIP_CALL_HISTORY: CallLegType 1, ConnectionId BA55719E
F8C10015 0 1B1E08, SetupTime 11:14:41.683 UTC Mon
Jun 18 2001, PeerAddress 2887, PeerSubAddress , DisconnectCause 10 , DisconnectText
normal call clearing., ConnectTime 11:14:49.703 UTC Mon
Jun 18 2001, DisconnectTime 11:15:02.983 UTC Mon Jun 18 2001, CallOrigin 1,
ChargedUnits 0, InfoType 2, TransmitPackets 1510, TransmitBytes 102692,
ReceivePackets 1509, ReceiveBytes 138828

and I'm also getting logs such as these (from https://supportforums.cisco.com/discussion/11382916/cisco-syslog-billing-software)

Jan 5 18:21:49.817: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:01/05/2012 18:21:34.254,cgn:3333,cdn:1023,frs:0,fid:1013,fcid:EDD6080E370011E18A2BC77F1C86C06D,legID:455,bguid:EDD6080E370011E18A2BC77F1C86C06D

What I'm trying to do is build tables in my SIEM showing what number called what number and for how long.

But I don't know if cgn is the originating number or if cdn is the originating number?

Also, what is the meaning of CallLegType 1 or 2?

And can I tie the VOIP_CALL_HISTORY to the VOIP_FEAT_HISTORY somehow?

It seems I would need some kind of document similar to http://www.cisco.com/c/en/us/td/docs/ios/voice/cdr/developer/guide/cdrdev/cdrover.html, but for syslog and that link has details for RADIUS and File accounting but not for syslog accounting.

the transmit and receive stuff is simple enough as well as the startup, connect and disconnect times.

Vaijanath Sonvane · ‎03-28-2016

Hi,

Please see below details:

cgn: Calling Number or Originating Number

cdn: Called Number or Destination Number

frs: Feature Status

fid: Feature ID

A voice call over a packet network is segmented into discrete call legs. These are associated with dial-peers (a dial-peer is associated with each call leg). A call leg is a logical connection between two router/gateways or between a router/gateway and an IP Telephony device (for example Cisco CallManager, SIP Server, and so forth)

Follow below link for more details:

http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/12164-dialpeer-call-leg.html

When a VoIP call is made, it places a call in the forward direction to the destination. The destination makes a return call to get a full duplex VoIP connection to occur. Therefore, there is a CDR for the forward leg, and a second CDR for the return leg. The forward call leg has a call origin of 2 while the return call leg has a call origin of 1.

Follow below link for more details:

http://www.cisco.com/c/en/us/support/docs/voice/h323/14068-cdr-logging.html

Thanks,

Vaijanath

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.