Hello Everyone,
I wish to use Graylog to capture and manage SIP messages from our VOIP environment.
I have successfully set up our Cisco routers to send SIP call info (Setup, Ringing, termination etc) using “debug ccsip messages” which is then sent to our Graylog test server via Syslog.
Now here is the frustrating thing.
From the Cisco side, we see whole messages in local log ->
Jun 21 10:21:52.946 GMT: /-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
Call-ID: ShoreTel_05981028-00028485
CSeq: 1 OPTIONS
Via: SIP/2.0/UDP ;rport;branch=z9hG4bK-5b4364-647f40ee-16d09c4-6845228
User-Agent: ShoreGear/19.49.5200.0 (ShoreTel 14.2)
Max-Fowards: 70
Content-Length: 0
Jun 21 10:21:52.948 GMT: /601277/38FA5DEBBD1E/SIP/Msg/ccsipDisplayMsg:
SIP/2.0 200 OK
Date: Fri, 21 Jun 2019 10:21:52 GMT
Call-ID: ShoreTel_05981028-00028485
Server: Cisco-SIPGateway/IOS-16.6.5
CSeq: 1 OPTIONS
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
Accept: application/sdp
Supported: timer,resource-priority,replaces,sdp-anat
Content-Type: application/sdp
Content-Length: 166
Each message block starts with a date, and ends with “Content-Length”
However, Cisco dutifully sends each line as a separate message, so instead of having two records in Graylog for the above, I have 11+16 = 27 separate records, one for each line.
So I need to find a way of recombining the lines back into whole messages again.
Can this be achieved in Graylog somehow, or do I need to put a different environment in the path (e.g. logstash) to process the flow?
Any advice or guidance gratefully received 
Regards,
Julian
Birmingham, UK