ClearlyIP’s Tips and Tricks
Realtime Syslog
For those who would like to know what the phone is actually doing in realtime in terms of its internal operating system and SIP protocol, our phones use the syslog protocol to store the system events internally or as we will describe in a few moments, send them to an external device.
As its name mentions, syslog (Rsyslog) gathers all the system events and logs them to a file or an external entity.
In this article we will show how to enable Rsyslog on our CentOS-based server or FreePBX instance and set our CIP phones to send syslog events to our server in real time.
First of all, we need to check if Rsyslog is installed. We can do it with the following commands (run as the user root in the CLI):
rpm -qa | grep rsyslog
or
rsyslogd -v
Then check the status of the rsyslog service with the command:
systemctl status rsyslog.service
If the service is stopped we can use the command below to start it.
systemctl start rsyslog.service
If we notice the service is not , we can run the command
yum -y install rsyslog
After checking the service is enabled and running we need modify the file /etc/ryslog.conf with the command:
vim /etc/rsyslog.conf
We need to search for the following lines.
#$ModLoad imudp
#$UDPServerRun 514
By default these lines are commented, and to uncomment them we need to remove the pound/hashtag (#) sign at the beginning of them.
With this we are enabling the reception of syslog events in rsyslog using UDP transport via 514 port. The standard protocol used for log transmission by rsyslog is UDP.
It should look like this:
After we have edited the Rsyslog configuration file, we simply restart the service and we make sure it is running. Here are the commands to doing so, respectively:
systemctl restart rsyslog.service
and
systemctl status rsyslog.service
Another alternative to check if Rsyslog is running is by issuing the following command that will also show the port it is using to run.
netstat -tulpn | grep rsyslog
Now we need to make sure external connections on port 514 are allowed. Since we are using FreePBX we can go to Connectivity > Firewall > Services > Custom Services tab and click on Create New Service.
We add a service called Rsyslog, with protocol UDP and port 514 as follows:
We save the changes and allow external connections on port 514 as follows:
Then we can go to one of our CIP phones and enable the remote syslog, in order to send all the events to our centralized rsyslog service. For the purpose of this article, we will use the phone’s Web UI. So, we navigate to Management > Configuration
In the System log section we set the syslog level to Debug and enter the IP address or FQDN on the syslog section server as follows:
With this simple setup, we are storing all the information in the file /var/log/messages
Now, on the CLI we execute the command below to follow, in real time, what the phone is sending to our server.
tail -f /var/log/messages
For example here is the output when a CIP 270V2 the phone dials extension 5002. We covered the MAC Address, but as you can see, that information is also sent to our Rsyslog service.
It is very easy to visualize, there is a SIP invite to extension 5002, and an event showing the phone goes off hook, and how the programming key 13 is sending a subscribe to whatever extension is monitoring.