Get a call trace from the logs the linux way

[ndemou]

(It took me some hours to fine tune these commands so I'm posting them for everyone)

 

What you can achieve with this easy 4-step procedure is to extract the full trace of a call from the pbx logs of a production system whith the log level is set to 7 (which means that you must clean up A LOT of noise). The only thing you need to know is the hour(s) that the call took place and the A-number and B-number (or if you prefer the "from" and "to" sip address)

 

1) First define the criteria to locate the call (date, hour, A-number, B-number) [don't copy paste blindly -- type your criteria in the corresponding positions]

LOG=/usr/local/pbxnsip/PBX_LOGS/pbxnsip_1_
LOG="$LOG"2010-04-07.txt
ANUM=210555666
BNUM=6555666777
TIMEST="2010040714"

Here I'm trying to trace a call that happened at the 14th hour of 2010-04-07. Be carefull with the TIMEST setting for calls that span two hours -- you should use the [] regex operators like this:

TIMEST="201004071[45]"

(to trace a call that started at the 14th hour but continued to the 15th)

 

2) the next step is to find the pair of call-IDs for your call (it's one call-id for each one of the two call legs -- PBX to the Caller, PBX to Callee )

grep -A20 $TIMEST $LOG | tr "\n" \~ | tr -d '\015' | sed -e "s/~\[/\n[/g" | grep -v "CSeq: [0-9]* REGISTER" | grep -v "~REGISTER sip" | grep "~INVITE sip" | grep "$ANUM.*$BNUM" | tr \~ "\n" | grep -A10 "^\[" | grep "^\[\|^From\|^To\|Call-ID\|^--"

the above command gives the following lines of output for each call it finds matching the criteria:

[7] 20100331143851: SIP Rx udp:19x.9x.25x.21x:5060:

From: <sip:210555666@192.168.0.100>;tag=722133955143761961005006181281

To: <sip:6555666777@62.205.34.2>

Call-ID: 6249187903834315628896@192.168.0.100 <--CALLID1

--

[7] 20100331143851: SIP Tx udp:62.205.34.19:5060:

From: <sip:210555666@192.168.0.100;user=phone>;tag=2059676110

To: <sip:6555666777@d;user=phone>

Call-ID: 4af035be@pbx <--CALLID2

 

3) now that you see the CALLIDs copy them to two variables[don't copy paste blindly -- type the CALLIDs for your call in the corresponding positions]:

CALLID1=620711228470439051110674375262@192.168.0.100
CALLID2=8bef1ea6@pbx

4) and now you can get a nice trace of the call like this:

grep -A20 $TIMEST $LOG | tr "\n" \~ | tr -d '\015' | sed -e "s/~\[/\n[/g" | grep "$CALLID1\|$CALLID2" | tr \~ "\n"

 

__________________________________________

for those interested in understanding the commands here is a quick explanation of the core stuf:

 

tr "\n" \~ | tr -d '\015'

the above changes new lines to "~"

 

sed -e "s/~\[/\n[/g"

the above changes back ~ to new lines ONLY if [n] follows -- now you have each log message in one big line

e.g. a message like this:

[5] blah blah

second line

third line

will become:

[5] blah blah~second line~third line

 

grep -v "CSeq: [0-9]* REGISTER" | grep -v "~REGISTER sip"

the above removes messages regarding REGISTER events which are A LOT in a system with many phones

 

tr \~ "\n"

the above changes back ~ to new lines wherever they occur

now you have the typical multi-line messages

[Vodia PBX]

 

Those who can deal with bash, sed & Co can save a lot of time! For large installations, that can really make sense.

[ndemou]

Those who can deal with bash, sed & Co can save a lot of time!

 

It should be good even if for the novice linux admin who can copy-paste the commands [disclosure: after many years in front of black terminal my opinion may be biased ].

 

BTW do you have to suggest any visualization tool which can import pbxnsip logs (or something close enough that I can create a bridge for) and display something with colors and graphics?

After 7 hours of work following a plain text log seems hard even for those who can deal with bash, sed & Co