• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 323
  • Last Modified:

Need to find which user or IP phone has dialed a certain string.

I'm using a Cisco CallManager 6.1xxx. I have a user that continues to forward calls to another business. At least that is what it appears like. Our source phone provider (comcast) is stating that the forward is happening from the phone itself with a *72 xxx-xxx-xxxx combination. Is there a way i can use the Real time monitoring tool to scour the logs for the # dialed, and find out which of my extensions (Directory #'s) is dialing this pattern? WOULD BE A HUGE HELP, Thank you
0
Mcottuli
Asked:
Mcottuli
  • 2
  • 2
1 Solution
 
José MéndezCommented:
If you know the number dialed with precision, configure the traces as indicated here:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080094e89.shtml

Then use the RTMT to build a query looking for this text string:

dd="*72112233445566

Replace the portion after the double quotes with your called number, and run the query on all nodes. These should return who is calling that number. If you don't get results, try with an extension you know for sure you have dialed after setting up the traces, using the same syntax and the query should bring you back some results:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/service/5_0_1/ccmsrva/sartmttc.html#wp1099088

The query will return the files where the string was found, and near the line where it appears, you will see the calling number.
0
 
McottuliAuthor Commented:
Thank you. I will test.
0
 
McottuliAuthor Commented:
Not having much luck. As you said I've tested a number that I know has been dialed.
I'm opening the RTMT, going to Trace and Log Central, clicking Query Wizard. Not sure which service to select so I select "Select all services on all Servers" under CCM,CUC, and System. The for my query I'm typing dd="18008881111 (Representing 1-800-888-1111) that I dialed about an hour ago. After the query finished I went through ALL the different files, they were all empty accept the "Cisco Trace Collection Service" which contained what I believe is just my previous searches. I also searched dd="918008881111 because we have to dial 9 before calling out, not sure if that was needed? Any thoughts on what IU might be missing, all traces are turned on and enabled in unified serviceability.
0
 
José MéndezCommented:
Your traces may be getting overwritten. The only service you have to check is the Cisco Callmanager check box for all servers in the cluster. This is how the search looks like:

query
The other option would be an SQL query like the one in the output below, from a SSH connection to the Publisher server, if  and only if you have the CDR feature enabled on each node:


admin:run sql car select callingpartynumber  from car:tbl_billing_data where finalcalledpartynumber='8965'
callingpartynumber
==================
1102

Open in new window


As you see, this returns the calling party when 8965 is dialed, you would have to modify the query a bit though.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now