Installation

Configuring Splunk with SIP messaging for troubleshooting

vitkop1
New Member

Hi There,

We have logging enabled for our SIP Cisco UBE SBC and Splunk.

The data is available in Splunk at this moment in time although we will be using this data for troubleshooting purposes and the data gets manipulated in a way which makes it hard to read and understand.

Is there a way to keep the formatting the same? .ie from extracting from splunk you can see the latest date/time is on the top, also splunk has added date time and also changed the format.

An example below (extracted for Splunk:

Nov 25 14:10:59 10.90.0.11 147443: Received:
Nov 25 14:10:59 10.90.0.11 147442: 570654: Nov 25 14:10:59.413: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Nov 25 14:10:59 10.90.0.11 147441: a=ptime:20
Nov 25 14:10:59 10.90.0.11 147440: a=fmtp:101 0-15
Nov 25 14:10:59 10.90.0.11 147439: a=rtpmap:101 telephone-event/8000
Nov 25 14:10:59 10.90.0.11 147438: a=rtpmap:8 PCMA/8000
Nov 25 14:10:59 10.90.0.11 147437: c=IN IP4 10.239.194.122
Nov 25 14:10:59 10.90.0.11 147436: m=audio 32532 RTP/AVP 8 101
Nov 25 14:10:59 10.90.0.11 147435: t=0 0
Nov 25 14:10:59 10.90.0.11 147434: c=IN IP4 10.239.194.122
Nov 25 14:10:59 10.90.0.11 147433: s=SIP Call
Nov 25 14:10:59 10.90.0.11 147432: o=CiscoSystemsSIP-GW-UserAgent 4029 7840 IN IP4 10.239.194.122
Nov 25 14:10:59 10.90.0.11 147431: v=0
Nov 25 14:10:59 10.90.0.11 147430:
Nov 25 14:10:59 10.90.0.11 147429: Content-Length: 253
Nov 25 14:10:59 10.90.0.11 147428: Content-Disposition: session;handling=required
Nov 25 14:10:59 10.90.0.11 147427: Content-Type: application/sdp
Nov 25 14:10:59 10.90.0.11 147426: Supported: timer
Nov 25 14:10:59 10.90.0.11 147425: Server: Cisco-SIPGateway/IOS-15.2.4.M4
Nov 25 14:10:59 10.90.0.11 147424: Supported: sdp-anat
Nov 25 14:10:59 10.90.0.11 147423: Supported: replaces
Nov 25 14:10:59 10.90.0.11 147422: Contact:
Nov 25 14:10:59 10.90.0.11 147421: Allow-Events: telephone-event
Nov 25 14:10:59 10.90.0.11 147420: STER
Nov 25 14:10:59 10.90.0.11 147419: Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGI
Nov 25 14:10:59 10.90.0.11 147418: CSeq: 73687 INVITE
Nov 25 14:10:59 10.90.0.11 147417: Call-ID: 9de3ee4e94d72128745feecb7745fc2f550e5ac2@210.87.44.134
Nov 25 14:10:59 10.90.0.11 147416: Date: Tue, 25 Nov 2014 03:10:59 GMT
Nov 25 14:10:59 10.90.0.11 147415: To: ;tag=9E38E484-23F
Nov 25 14:10:59 10.90.0.11 147414: From: "0269772016";tag=22272
Nov 25 14:10:59 10.90.0.11 147413: Via: SIP/2.0/UDP 202.10.4.169:5060;branch=z9hG4bK36dddh301oog75ji75l0.1
Nov 25 14:10:59 10.90.0.11 147412: SIP/2.0 200 OK
Nov 25 14:10:59 10.90.0.11 147411: Sent:
Nov 25 14:10:59 10.90.0.11 147410: 570653: Nov 25 14:10:59.385: //271697/839062628307/SIP/Msg/ccsipDisplayMsg:
Nov 25 14:10:59 10.90.0.11 147409:
Nov 25 14:10:59 10.90.0.11 147408: Content-Length: 0
Nov 25 14:10:59 10.90.0.11 147407: Allow-Events: telephone-event
Nov 25 14:10:59 10.90.0.11 147406: CSeq: 101 ACK
Nov 25 14:10:59 10.90.0.11 147405: Max-Forwards: 70
Nov 25 14:10:59 10.90.0.11 147404: Call-ID: 8390FE8A-738711E4-830DB48F-F8E6D51B@sipvoice.syd.aapt.com.au
Nov 25 14:10:59 10.90.0.11 147403: Date: Tue, 25 Nov 2014 03:10:59 GMT
Nov 25 14:10:59 10.90.0.11 147402: To: ;tag=5067052~03b5356b-9a57-45a8-bade-5339176b91af-112479176
Nov 25 14:10:59 10.90.0.11 147401: From: "0269772016"

Extracted from logging on Cisco UBE:

5MRL1-G1#
000164: Oct 29 13:25:59.454: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:0395468066@10.90.0.10:5060 SIP/2.0
Via: SIP/2.0/UDP 10.90.208.22:5060;branch=z9hG4bK4dc8cd5de53bd6
From: ;tag=45330452~03b5356b-9a57-45a8-bade-5339176b91af-110953498
To: ;tag=1306D250-BA5
Date: Wed, 29 Oct 2014 02:25:59 GMT
Call-ID: B2BD56C0-5E4911E4-B935B48F-F8E6D51B@sipvoice.syd.aapt.com.au
Supported: timer,resource-priority,replaces
Min-SE: 1800
Cisco-Guid: 2998712831-1581847012-3106911375-4175877403
User-Agent: Cisco-CUCM8.6
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Max-Forwards: 70
Expires: 180
Allow-Events: presence, kpml
Call-Info: ;method="NOTIFY;Event=telephone-event;Duration=500"
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Session-Expires: 1800;refresher=uac
P-Asserted-Identity:
Remote-Party-ID: ;party=calling;screen=yes;privacy=off
Contact:
Content-Type: application/sdp
Content-Length: 246

v=0
o=CiscoSystemsCCM-SIP 45330452 2 IN IP4 10.90.208.22
s=SIP Call
c=IN IP4 0.0.0.0
b=TIAS:64000
b=AS:64
t=0 0
m=audio 31358 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=ptime:20
a=inactive
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

Tags (1)
0 Karma

3stimpson
Engager

Have you created a sourcetype for this data type? You would likely need to do this at the forwarder (props), break on time or use MAX_TIMESTAMP_LOOKAHEAD.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...