Showing results for 
Search instead for 
Did you mean: 
Walkthrough Wednesdays

Sending Cucm system logs to Syslog (splunk)

many, many years ago syslog was setup on my pub's and subs. Now running 11.5 SU2.


the syslog output i get are phones registering, de-registering, gateways going up/down, sip trunks going up/down, hunt groups running out of numbers, etc. If the pub or sub "farts" we get it in the syslog.


Now want to do this for a friend running 12.5. but where?


I looked in my Publisher,  Enterprise parameters > Cisco Syslog Agent > Remote Syslog servers 1-5. I have no syslog IP's configured there.Also,  Serviceability > Tools > Audit Logs. Nothing there for syslog


Is their a command line option we used years ago (I didn't setup the system) ?


Where else can syslog be setup for forward to the system logs  a remote server?


If I config syslog in "Remote Syslog Servers" under enterprise parameters, will this push out the config to the Subscribers , or do I have to setup each sub this way also?


Do changes in "Enterprise parameters" require a reboot?


Roger Kallberg
VIP Advisor

I asked a similar question to TAC a few mounts ago and this is the answer I got.

1. The least possible effort is the global setting at the Enterprise Parameters, yet set one Severity Level and it is applicable for every alarm catalog. If you want to more control then Serviceability allows you to apply Severity Levels per Alarm Catalog.

2.a Do we have to set Enable Alarm under Remote Syslog on the services that we want to collect data from?
From the guide, you can see that it mentioned the “Enable Alarm for Local Syslog’s” in the table of Alarm Configuration Settings, even though the service may not support the settings.

Enable Alarm for Remote Syslog’s: The Syslog file serves as the alarm destination. Check this checkbox to enable the Syslog messages to be stored on a Syslog server and to specify the Syslog server name. If this destination is enabled and no server name is specified, Cisco Unified Serviceability does not send the Syslog messages.

The configured AMC primary and failover collectors use the remote Syslog settings. The remote Syslog settings used by the collectors are those configured on the respective individual nodes.

If the remote Syslog is only configured on AMC primary collector without configuring remote Syslog on AMC failover collector and failover occurs in AMC primary collector, then no remote Syslog will be generated.

You must configure exactly the same settings on all nodes, to send the remote Syslog alarms to the same remote Syslog server.

When a failover occurs in AMC controller or when the collector configuration changes to a different node, the remote Syslog settings on a backup or newly configured node are used.

To prevent too many alarms flooding the system, you can check the Exclude End Point Alarms checkbox. This ensures that the endpoint phone-related events get logged into a separate file.

Exclude End Point Alarms check box is displayed only for the Call Manager services and is not checked by default. You need to check the Apply to All Nodes also when you check this checkbox. The configuration options for endpoint alarms are listed in Alarm configuration settings.

2.b Do you have to set an IP for Server Name 1 on each service? is it enough to define a Syslog server under enterprise parameters?

Yes, you need to set an IP address for the Syslog server under each service alarm configuration, regardless you defined a Syslog server IP address under the enterprise parameters configuration or not.

Please rate all useful posts

Does setting syslog under global setting at the Enterprise Parameters require a reboot, or start/stop of services?

I get VERY nervous making changes in "Enterprise Parameters".

would rather go in via SSH and issues command line commands that visit that webpage!


No it doesn’t require a reboot or restart of any service.

Please rate all useful posts
Content for Community-Ad

Spotlight Awards 2021