+1 855 802 6465    +1 888 483 5723    +61 1300 314 150
Realtime Syslog CIP Phones

Realtime Syslog and CIP Phones

ClearlyIP’s Tips and Tricks

Realtime Syslog

For those who would like to know what the phone is actually doing in realtime in terms of its internal operating system and SIP protocol, our phones use the syslog protocol to store the system events internally or as we will describe in a few moments, send them to an external device.

As its name mentions, syslog (Rsyslog) gathers all the system events and logs them to a file or an external entity.

In this article we will show how to enable Rsyslog on our CentOS-based server or FreePBX instance and set our CIP phones to send syslog events to our server in real time.

First of all, we need to check if Rsyslog is installed. We can do it with the following commands (run as the user root in the CLI):

rpm -qa | grep rsyslog


rsyslogd -v

Syslog install window

Then check the status of the rsyslog service with the command:

systemctl status rsyslog.service

Syslog window

If the service is stopped we can use the command below to start it.

systemctl start rsyslog.service

If we notice the service is not , we can run the command

yum -y install rsyslog

After checking the service is enabled and running we need modify the file /etc/ryslog.conf with the command:

vim /etc/rsyslog.conf

We need to search for the following lines.

#$ModLoad imudp
#$UDPServerRun 514


By default these lines are commented, and to uncomment them we need to remove the pound/hashtag (#) sign at the beginning of them.

With this we are enabling the reception of syslog events in rsyslog using UDP transport via 514 port. The standard protocol used for log transmission by rsyslog is UDP.

It should look like this:
sys log window

After we have edited the Rsyslog configuration file, we simply restart the service and we make sure it is running. Here are the commands to doing so, respectively:

systemctl restart rsyslog.service


systemctl status rsyslog.service

Another alternative to check if Rsyslog is running is by issuing the following command that will also show the port it is using to run.

netstat -tulpn | grep rsyslog

Syslog window

Now we need to make sure external connections on port 514 are allowed. Since we are using FreePBX we can go to Connectivity > Firewall > Services > Custom Services tab and click on Create New Service.

We add a service called Rsyslog, with protocol UDP and port 514 as follows:
Sys window

We save the changes and allow external connections on port 514 as follows:
Sys window

Then we can go to one of our CIP phones and enable the remote syslog, in order to send all the events to our centralized rsyslog service. For the purpose of this article, we will use the phone’s Web UI. So, we navigate to Management > Configuration

In the System log section we set the syslog level to Debug and enter the IP address or FQDN on the syslog section server as follows:
Sys log window

With this simple setup, we are storing all the information in the file /var/log/messages

Now, on the CLI we execute the command below to follow, in real time, what the phone is sending to our server.

tail -f /var/log/messages

For example here is the output when a CIP 270V2 the phone dials extension 5002. We covered the MAC Address, but as you can see, that information is also sent to our Rsyslog service.

It is very easy to visualize, there is a SIP invite to extension 5002, and an event showing the phone goes off hook, and how the programming key 13 is sending a subscribe to whatever extension is monitoring.
Syslog install window