Serviceability Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise, Release 10.0(1)
The syslog Messaging Interface
Downloads: This chapterpdf (PDF - 1.21MB) The complete bookPDF (PDF - 6.12MB) | The complete bookePub (ePub - 2.36MB) | Feedback

The syslog Messaging Interface

The syslog Messaging Interface

The Logger process that provides the syslog feed is named CW2KFeed (CiscoWorks 2000 Feed); however, it is an RFC-3164 compliance event feed.

The syslog feed provides a more verbose set of notifications than the SNMP notifications – there are many more events sent via syslog than SNMP and the content matches that which is stored in the Unified ICM/Unified CCE database and the Windows Event Log.

The syslog event feed formats all events in Cisco Log message format. The Cisco Log message format provides the following key benefits:
  • Precisely documented message format for wide interoperability
  • Compatible with IOS message format
  • Precise message source identification with host, IP address, application, process, and so on
  • Message ordering with sequence numbers and timestamp with millisecond precision
  • Support for tagging of messages for correlation or external filtering
  • Support for internationalization of host, tags, and message text

You configure the syslog feed using the Microsoft Management Console snap-in – the same MMC snap-in you used to configure the SNMP agents. For more information about configuring the syslog feed, see the following.

The Cisco Log Message Format

The Cisco Log message format is:

<PRI>SEQNUM: HOST: MONTH DAY YEAR HOUR:MINUTES:SECONDS.MILLISECONDS TIMEZONE: %APPNAME-SEVERITY-MSGID: 
%TAGS: MESSAGE

An example of a CiscoLog formatted syslog event follows. An entry displays on a single line.

<134>25: host-w3k: Feb 13 2007 18:23:21.408 +0000: %ICM_Router_CallRouter-6-10500FF: 
[comp=Router-A][pname=rtr][iid=acme1][mid=10500FF][sev=info]: Side A rtr process is OK.

The following table describes the Cisco Log message fields:

Table 1 Cisco Log Message Fields

Field

Description

PRI

Encodes syslog message severity and syslog facility. Messages are generally sent to a single syslog facility (that is, RFC-3164 facilities local0 through local7). For more information, see RFC-3164.

SEQNUM

Number used to order messages in the time sequence order when multiple messages occur with the same time stamp by the same process. Sequence number begins at zero for the first message fired by a process since the last startup.

HOST

Fully qualified domain name (FQDN), hostname, or IP address of the originating system.

MONTH

Current month represented in MMM format (for example, "Jan" for January)

DAY

Current day represented in DD format. Range is 01 to 31.

YEAR

Current year represented in YYYY format.

HOUR

Hour of the timestamp as two digits in 24-hour format; range is 00 to 23.

MINUTE

Minute of the timestamp as two digits; range is 00 to 59.

SECOND

Second of the timestamp as two digits; range is 00 to 59.

MILLISECONDS

Milliseconds of the timestamp as three digits; range is 000 to 999.

TIMEZONE

Abbreviated time zone offset, set to +/-#### (+/- HHMM from GMT).

APPNAME

Name of the application that generated the event. APPNAME field values are:

PRODUCT_COMPONENT_SUBCOMPONENT

PRODUCT – such as ICM

COMPONENT – such as Router

SUBCOMPONENT – such as CallRouter

SEVERITY

Supported severity values are:

3 (Error)

4 (Warning)

6 (Informational)

7 (Debug)

MSGID

Hexadecimal message id that uniquely identifies the message, such as 10500FF.

TAGS

(Optional) Supported tags are:

[comp=%s] - component name including side, such as Router-A

[pname=%s] - process name, such as rtr

[iid=%s] - instance name, such as acme1

[mid=%d] - message id, such as 10500FF

[sev=%s] – severity, such as info

MESSAGE

A descriptive message about the event.

Configure syslog Destinations

You can configure syslog destinations using the Cisco SNMP Agent Management Snap-in. The syslog feed is available only on the Unified ICM/Unified CCE Logger Node.
Procedure
    Step 1   Expand Cisco SNMP Agent Management in left pane of MMC snap-in.
    Step 2   Highlight Syslog Destinations in left pane under Cisco SNMP Agent Management. ICM Instance Name, Feed Enabled, Collector Address, Port, and Ping Disabled columns appear in the right pane.
    Step 3   Right-click the white space in right pane and select Properties. A dialog box appears:
    Figure 1. syslog Feed Configuration Dialog Box



    Step 4   Select one Unified ICM/Unified CCE instance from list box.
    Step 5   Check Enable Feed? check box.
    Step 6   Enter IP address or host name in Collector Address field.
    Step 7   (Optional)Enter collector port number on which syslog collector is listening in Collector Port field. The default port is 514.
    Step 8   (Optional)Check Disable Ping Tests? check box.
    Step 9   Click Save.
    Step 10   Click OK.

    What to Do Next

    Important:

    You must cycle the Logger service to start the flow of events from the syslog feed. The Node Manager picks up the configuration parameters from the registry and passes them to the CW2KFEED process when it invokes it. Changing the syslog parameters and killing the CW2KFEED process cannot suffice because the Node Manager restarts it with the parameters it previously read from the registry. A service recycle is required.