Using Log Parser Part 2 – Interoperability with Cisco UC Appliance

Author
William Bell
Vice President, Solutions and Products

What Has Changed

Well, pretty much everything about the event record structure has changed.  So has the method you would need to use to collect the events.  On the Windows based system, you could use the LogParser tool (or a WSH script) directly on a CM server.  You could also use the tool to query the server remotely, though I don’t do this in my customer environments as I block RPC/SMB/etc. from most networks.

Once you get adjusted to the data collection method, and come up with a way to handle the new record structure, you can leverage the LogParser tool just as you would with Windows events.  Actually, since I have been coerced into normalizing the record set I find that LogParser is easier to use.

Data Collection

On the Cisco Unified Communications Manager (CUCM) appliance the event logs are located on the active partition.  Specifically, in the /syslog/* path.  You can see the files from the command line using this command:  file list activelog syslog/* detail

You can collect the files directly from the console if desired by using the “file get” command.  This will allow you to download the files to any SFTP server.  It is actually one way to schedule retrieval if you like to write scripts for terminal apps like Expect or tcl/vbs scripts in SecureCRT.

Collecting logs from the command line is handy knowledge and I use this method in many cases because it is just easier for me.  However, in this particular case I prefer to use RTMT to collect log (and trace) files.  I like RTMT for this task because I can easily collect files from all cluster nodes using one wizard and I can specify date ranges or relative time frames.  This is pretty handy when troubleshooting.

To collect files using RTMT, start RTMT, connect to your publisher node (or other cluster node if you wish) and do the following:

1. Choose the System menu

2. Select Tools>Trace>Trace and Log Central

3. In the main window frame you will see several options (e.g. Remote Browse, Collect Files, Query Wizard, etc.)  double click on Collect Files

4. A wizard will load that allows you to select the files you would like to collect.  don’t select anything on the first wizard page and choose Next

5. On the second wizard page, scroll down until you see “Event Viewer-Application Log”.  Select this log for either all servers or the one(s) you are interested in. Click Next

6.  On the next page you can specify date ranges or relative time.  Relative time is handy because you can request files from the previous X minutes.  Specify a date range as appropriate.  You also need to specify where you will save the file.  I like to change this as the download will create a deep directory structure anyway.  Click on Finish.

The application event logs will download as text files named “CiscoSyslog”, “CiscoSyslog.1”, “CiscoSyslog.2”, etc.   The system event logs will download as text files named “messages”, “messages.1”, “messages.2”, etc.  Finally, the security logs will download as text files named “secure”, “secure.1”, “secure.2”, etc.  The logs without an extension contain the latest records and the logs with the highest number extension contain the oldest records.

While you are looking at RTMT you may want to consider poking around the schedule collection and query wizard options under trace collection.  These can come in handy if you are putting together a periodic operation schedule.

Normalizing the Data

I would like to say that you can get right into using LogParser with the raw text files that you just pulled down but I can’t.  Unfortunately, the text files that are retrieved do not have a discrete field delineation.  All the white space you see are spaces and sorting record values by spaces won’t work well.  It would have been nice if some delimiter was used but oh well, we make do.

Each person will have their own method, I prefer to use a script to read in the Cisco files, normalize the records, and dump them to a “well-structured” file format.  I find it easier to do it this way myself.

In this blog, I am going to use jscript code as an example.

Separating Records

A standard record is a long string with a line feed at the end (no carriage return).  So, if you read in the file using notepad, it looks horrible.  I recommend Notepad++.  If using a script, then make sure you keep in mind that you should split records using the newline character (e.g. ” “) and not the carriage return (e.g. ” “).

Record Structure

Just like the Windows flavor of the records, the event entries have little in the way of a discrete structure.  But, I have found that they aren’t too bad to deal with.  An example record is in order.  Let’s look at how the record starts:

Jul  6 18:20:11 CM2 local7 3 : 2012 :Jul  6 22:20:11.300 UTC :

Some interesting points at first glance:

  • There are actually two spaces between “Jul” and “6”.  If it were July 12th, there would only be one space.
  • There is some use of colon “:” as a delimiter between record sections
  • There are two date fields.  The first is local time (of CM) and the second is UTC time
  • The “3” after local7 indicates an “Error” event (2 is warning and 1 is informational)
  • The “2012” is actually a sequence number of the event (it does span backup versions of the syslog file

The remain portion of the record is equivalent to the message body of the Windows event message (see above for a link to this discussion).  For example, starting after the UTC date:

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.