Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3971
Views
7
Helpful
4
Replies

Sending Cucm system logs to Syslog (splunk)

dmooreami
Level 3
Level 3

‎10-06-2020 10:12 AM

many, many years ago syslog was setup on my pub's and subs. Now running 11.5 SU2.

 

the syslog output i get are phones registering, de-registering, gateways going up/down, sip trunks going up/down, hunt groups running out of numbers, etc. If the pub or sub "farts" we get it in the syslog.

 

Now want to do this for a friend running 12.5. but where?

 

I looked in my Publisher,  Enterprise parameters > Cisco Syslog Agent > Remote Syslog servers 1-5. I have no syslog IP's configured there.Also,  Serviceability > Tools > Audit Logs. Nothing there for syslog

 

Is their a command line option we used years ago (I didn't setup the system) ?

 

Where else can syslog be setup for forward to the system logs  a remote server?

 

If I config syslog in "Remote Syslog Servers" under enterprise parameters, will this push out the config to the Subscribers , or do I have to setup each sub this way also?

 

Do changes in "Enterprise parameters" require a reboot?

 

Labels:
0 Helpful
4 Replies 4

Roger Kallberg
VIP
VIP

‎10-06-2020 10:27 AM

I asked a similar question to TAC a few mounts ago and this is the answer I got.

1. The least possible effort is the global setting at the Enterprise Parameters, yet set one Severity Level and it is applicable for every alarm catalog. If you want to more control then Serviceability allows you to apply Severity Levels per Alarm Catalog.


2.a Do we have to set Enable Alarm under Remote Syslog on the services that we want to collect data from?
From the guide, you can see that it mentioned the “Enable Alarm for Local Syslog’s” in the table of Alarm Configuration Settings, even though the service may not support the settings.

Enable Alarm for Remote Syslog’s: The Syslog file serves as the alarm destination. Check this checkbox to enable the Syslog messages to be stored on a Syslog server and to specify the Syslog server name. If this destination is enabled and no server name is specified, Cisco Unified Serviceability does not send the Syslog messages.

The configured AMC primary and failover collectors use the remote Syslog settings. The remote Syslog settings used by the collectors are those configured on the respective individual nodes.

If the remote Syslog is only configured on AMC primary collector without configuring remote Syslog on AMC failover collector and failover occurs in AMC primary collector, then no remote Syslog will be generated.

You must configure exactly the same settings on all nodes, to send the remote Syslog alarms to the same remote Syslog server.

When a failover occurs in AMC controller or when the collector configuration changes to a different node, the remote Syslog settings on a backup or newly configured node are used.

To prevent too many alarms flooding the system, you can check the Exclude End Point Alarms checkbox. This ensures that the endpoint phone-related events get logged into a separate file.

Exclude End Point Alarms check box is displayed only for the Call Manager services and is not checked by default. You need to check the Apply to All Nodes also when you check this checkbox. The configuration options for endpoint alarms are listed in Alarm configuration settings.

2.b Do you have to set an IP for Server Name 1 on each service? is it enough to define a Syslog server under enterprise parameters?

Yes, you need to set an IP address for the Syslog server under each service alarm configuration, regardless you defined a Syslog server IP address under the enterprise parameters configuration or not.



Response Signature


dmooreami
Level 3
Level 3
In response to Roger Kallberg

‎10-06-2020 10:35 AM

Does setting syslog under global setting at the Enterprise Parameters require a reboot, or start/stop of services?

I get VERY nervous making changes in "Enterprise Parameters".

would rather go in via SSH and issues command line commands that visit that webpage!

 

0 Helpful

Roger Kallberg
VIP
VIP
In response to dmooreami

‎10-06-2020 12:10 PM - edited ‎10-06-2020 12:11 PM

No it doesn’t require a reboot or restart of any service.



Response Signature


KhanalZ
Level 1
Level 1

‎01-03-2024 09:19 AM

I am also planning to setup Splunk as syslog server and this conversation is helpful to me. Just wanted to validate my understanding that if I use the Enterprise Parameters, it applies to all UC nodes and sets the same severity level for all alerts. However, if I want more granularity in terms of which services or severity level, then I use Serviceability page right? What happens if I choose Enterprise parameters and Serviceability page? Does it send 2 copies of the same logs to the Splunk for the services I specify in Serviceability page?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents