Back to blog
How-To

4 steps to capture the log of an intermittent event in Cisco IOS with EEM

Eric Lavoie
February 4, 2016

Do you keep dropping calls in your Cisco Unified Communications System and can’t figure out why? You are not alone. This is a problem I often troubleshoot for many of our clients. The first and most challenging step to resolving this issue is obtaining a log of the issue when it arrives to help you troubleshoot.

Some people may opt to use a syslog server in Cisco IOS, however, messages are carried over UDP so you can lose some of them or the rate limiting feature may not send all the information you need.

In my case, many of our clients do not have a syslog infrastructure and as we are managing multiple clients, I could not keep my computer connected to one specific client all day waiting for this intermittent failed call to reoccur.

I needed a simple and efficient way to identify the issue and capture all the log information to allow me to effectively troubleshoot the cause and fix the problem.

PROBLEM

Obtaining a log of an intermittent failed call to the PSTN.

 

SOLUTION

The Solution I used was Cisco IOS Embedded Event Manager (EEM). I will show you  4 easy steps to configure your router to capture the logs of an intermittent event with the help of the EEM.

In this example, we will configure the router to capture the log for calls failing with the cause 63 (this can be found in the UCM CDR). However, these steps can be applied to any log output.

 

 Step 1.  Configure the log buffer large enough to obtain high call volumes.

R1#conf t
R1(config)#logging buffered 3000000

Step 2.  Create the following event manager applet.

R1#conf t
R1(config)#event manager applet SIP
R1(config-applet)#event syslog pattern “Q.850;cause=63”
R1(config-applet)#action 1.0 cli command “enable”
R1(config-applet)#action 1.5 cli command “show log | redirect flash0:debugCause63”

Step 3. Start to debug.

R1#debug ccsip messages

Step 4. Add action to send an email when the event occurs ( CUBE must have SMTP server access).

R1#conf t
R1(config)#event manager environment _email_from yourname@company.com
R1(config)#event manager environment _email_to yourname@company.com
R1(config)#event manager environment _email_server 10.0.10.23

R1(config-applet)#event manager applet SIP
R1(config-applet)#action 2.0 mail server “$_email_server” to “$_email_to” from “$_email_from” subject “Event Occurs” body “Event Occurs, go grab the log files on flash0“

 

Now you wait… When the event reoccurs, the log file will show up on the flash and you will receive an email notification. You will now have all the information regarding this failed call on your log, allowing you to analyze the situation and take the appropriate steps to fixing the issue. 

Want to learn more about how we can help support you with this and other types of Cisco Unified Communications issues, contact us, we would love to hear from you.

Ready to take your unified communications from headache to hassle-free?

No throwing darts at proposals or contracts. No battling through the back-end. No nonsense, no run-around.