Cisco CDR Reporting & Analytics | Installation Notes

Install Step 3, Data Collection

Step 3: Data Collection

One quick note — we use a Splunk term, “$SPLUNK_HOME”, to denote the base install path of Splunk or the Splunk forwarder. On a Windows server, this is usually c:\program files\splunk or c:\program files\splunkuniversalforwarder. On Linux it’s usually /​opt/​splunk or /​opt/​splunkforwarder.

Prepare the host which UCM will SFTP to

Next, we recommend the following steps, where you’ll set up a small separate host that will receive the files from CUCM via SFTP, and will forward them onto your Splunk instance via the Splunk Universal Forwarder. However, on-premise folks (e.g. ones not in cloud) with only a single Splunk instance should know that it’s a fine option to simply SFTP the files directly to the main Splunk host.

Set up this little intermediate host

  • Find or build a small virtual machine or system with an SFTP server and the Splunk Universal Forwarder
    • This would preferably be *nix, because then a compatible SFTP server is built right into the OS.
    • But if you need to, you can use Windows, and for SFTP something like the SolarWinds SFTP server, FileZilla Server, or others.
  • Download and install the Splunk Universal Forwarder (UF) on this host. You can get the UF by going to https://​www​.splunk​.com/​e​n​_​u​s​/​d​o​w​n​l​o​a​d​.html, and scrolling far down until you see Universal Forwarder. Follow the steps to install it for your platform.

Configuring the UF to send data to your Splunk instance

Install the TA_​cisco_​cdr” app on this host

  • Download the TA_​cisco_​cdr app from Splunkbase here: https://​splunkbase​.splunk​.com/​a​p​p​/​4434/ and save the tar.gz file locally. (Note that during the download there is also a little wget command you can run right on the UF host. This can save a little time.)
  • Unpack the contents of that tar.gz file and place the resulting TA_​cisco_​cdr folder in the $SPLUNK_​HOME/​etc/​apps directory on your forwarder

At this point, you should have a small VM or host running, with a Splunk Universal Forwarder installed, and that UF should have a directory at $SPLUNK_​HOME/​etc/​apps/​TA_​cisco_​cdr/​…

Configuring the input itself

  1. Create the input by adding this config to an inputs.conf file located at “$SPLUNK_​HOME/​etc/​apps/​TA_​cisco_​cdr/​local/inputs.conf”. You may need to create the folder​“local” and the file itself. Make sure the user Splunk runs under has permissions to this file and folder.
  2. To that file, add the following contents depending on your UF’s Operating System:
    1. for Linux or Unix, the contents of inputs.conf will look like these — with the /​path/​to/​files/​pointing to the folder where your SFTP server saves the files:
      [batch:///path/to/files/cdr_*]
      index = cisco_cdr
      sourcetype = cucm_cdr
      move_policy=sinkhole
      [batch:///path/to/files/cmr_*]
      index = cisco_cdr
      sourcetype = cucm_cmr
      move_policy=sinkhole
    2. for Windows, the contents of inputs.conf will look like these — with the D:\path\to\files\ pointing to the folder where your SFTP server saves the files:
      [batch://D:\path\to\files\cdr_*]
      index = cisco_cdr
      sourcetype = cucm_cdr
      move_policy=sinkhole
      [batch://D:\path\to\files\cmr_*]
      index = cisco_cdr
      sourcetype = cucm_cmr
      move_policy=sinkhole

Important Notes:

  • Be careful with your direction of and count of slashes. Use the examples as a reference.
  • By design, this input will index and then delete files immediately. If this is a concern, please see our documentation regarding Sinkhole vs. Monitor Inputs.

The data collection node is now set up and ready to receive files and forward those into Splunk. The last piece, in order to get data coming in, is to now set up UCM to send files to this host.

Related

Installation Notes
Installation Notes
Installation Notes
Installation Notes