CUCM CDR Analysis and Reporting: Complete Guide

Introduction

Picture this: an HR director gets a tip that a senior employee has been leaking proprietary data to a competitor. The first question the investigation team asks is straightforward—who did this person call, when, and for how long? Every answer exists inside CUCM's Call Detail Records.

Cisco Unified Communications Manager generates structured call data for every processed call. Two record types capture different dimensions: CDRs document who called whom, when, and for how long, while CMRs capture voice quality metrics.

The built-in CDR Analysis and Reporting (CAR) tool transforms this raw data into usable reports for billing, compliance, capacity planning, and security investigations.

According to the Communications Fraud Control Association, telecom fraud losses reached $38.95 billion in 2023—a 12% increase over 2021—with PBX fraud accounting for 51% of reported methods. For enterprise IT and security teams, that number makes CDR analysis less a best practice and more a basic due-diligence requirement.

TL;DR

CUCM logs two record types per call: CDRs (caller, recipient, duration, timestamps) and CMRs (jitter, latency, packet loss)
The CAR tool at https://<CUCM-IP>:8443/car/ delivers User, System, and Device reports on demand or on schedule
- Enable the CDR Enabled Flag service parameter on every cluster node — CDR generation is disabled by default
- Raw CDR exports are CSV flat files with 133+ fields — correlate multi-leg calls using the globalCallID field
CDR data supports billing, QoS monitoring, fraud detection, and court-admissible evidence in litigation when records are collected under proper chain-of-custody procedures

What Is CUCM CDR?

In investigations and compliance reviews, CDR data is often the first place analysts look. A Call Detail Record is a structured data entry Cisco Unified Communications Manager generates at the end of every processed call — capturing the calling party, called party, origination timestamp, connect time, disconnect time, and termination cause.

CDR vs. CMR: Two Records, Two Purposes

These two record types serve distinct analytical functions:

Record Type	What It Captures	Primary Use
CDR	Identity, routing, timestamps, duration	Billing, activity tracking, investigations
CMR	Jitter, latency, packet loss, media quality	QoS monitoring, voice quality troubleshooting

CMRs are also called diagnostic records. CUCM outputs both as comma-separated flat files, delivering them through the CAR interface or pushing them via SFTP to external billing servers.

One call can generate multiple CDR rows, particularly for transfers, redirects, and conference joins. Effective analysis requires correlating all related rows using the globalCallID_callId and globalCallID_callManagerId fields, which remain consistent across every record tied to the same call.

Two Ways to Access CDR Data

CAR web interface: Accessible directly at https://<CUCM-IP>:8443/car/ via Cisco Unified Serviceability > Tools
SFTP billing server delivery: The CDR Repository Manager pushes flat files to up to 8 external destinations, checking every 6 seconds for new files to transfer

Why CDR Analysis Is Critical in Enterprise Communications

Billing and Cost Allocation

CDR data lets organizations calculate call costs by user, department, or destination. The CAR Rating Engine applies cost rules and generates Individual Bill and Department Bill reports—essential where telecom costs are distributed across cost centers. Without this visibility, telephony spend is effectively invisible.

QoS and Voice Quality Monitoring

CMR data paired with CDRs gives network teams measurable thresholds to work against. Cisco's QoS documentation references ITU G.114, which recommends less than 150 ms one-way end-to-end delay for high-quality voice. Packet loss for G.729 should stay far below 1%, and jitter buffers are typically effective for delay variations under 100 ms.

CAR's built-in QoS Summary and QoS Detail reports identify calls breaching these thresholds before complaints escalate.

Capacity Planning and Traffic Analysis

Traffic Summary reports broken down by hour, day of week, and day of month reveal:

Peak load periods and trunk saturation points
Over-utilized gateways requiring additional capacity
Under-utilized resources that can be consolidated
Route group imbalances affecting call quality

Security, Compliance, and Fraud Detection

CDR data surfaces patterns that don't belong:

Unusual call volumes to external numbers outside business hours
Calls to restricted or sensitive destinations
High-frequency short-duration calls indicating scan or reconnaissance activity
PBX toll fraud patterns—unauthorized use of enterprise dial plans to make long-distance calls

Four CDR fraud detection patterns identifying PBX toll fraud and suspicious call activity

For regulated industries, call records may also be required as part of audit trails. MiFID II, for example, extended communications recording retention requirements from 6 months to 5 years for covered financial firms.

Legal and Forensic Use Cases

CDR records are timestamped, structured logs of communication activity. They can serve as digital evidence in corporate investigations, HR disputes, litigation, and law enforcement inquiries.

What determines admissibility is how records were preserved. Courts require:

Forensically sound collection with documented chain of custody
Verifiable integrity (hash values or equivalent authentication)
Analysis conducted by a qualified examiner who can testify to methodology

Standard CAR report exports don't satisfy these requirements for formal proceedings. Engaging a certified forensic examiner to handle CDR collection and analysis ensures the records hold up under legal scrutiny.

How CUCM CDR Analysis Works: Step by Step

Step 1: Enable CDR and CMR Collection

CDR generation is disabled by default in CUCM. To activate it:

Navigate to Cisco Unified CM Administration > System > Service Parameters
Select the Cisco CallManager service for each node
Set CDR Enabled Flag = True
Separately, set Call Diagnostics Enabled to activate CMR collection

The most common mistake: enabling CDR on the publisher but missing subscriber nodes, which produces an incomplete cluster-wide record set.

Step 2: Activate CAR and Configure Parameters

Under Cisco Unified Serviceability > Tools > Service Activation, activate:

Cisco CAR Web Service
Cisco CAR Scheduler

Before running reports, configure:

CDR Repository Manager disk allocation and water marks
Dial plan settings in CAR system parameters
Gateway assignments for utilization reporting
Mail server settings for automated delivery and threshold alerts

Step 3: Access and Extract CDR Data

Two extraction paths serve different needs:

CAR web interface: Best for on-demand reports, CDR searches by extension, and standard operational reporting
SFTP billing server: Best for feeding external analysis platforms, long-term archival, and forensic preservation

CAR loads CDR data continuously, 24 hours a day, not on a nightly schedule. That distinction matters when you need near-real-time data for active investigations.

Step 4: Run the Right Reports

CAR organizes reports into three categories:

Category	Reports	Audience
User Reports	Individual Bills, Department Bills, Top N by Charge/Duration/Volume	Users, managers, admins
System Reports	QoS Detail/Summary, Traffic Summary, Malicious Call Details, CDR Error	Admins only
Device Reports	Gateway Detail/Summary/Utilization, Conference Bridge Utilization	Admins only

CUCM CAR report categories user system and device reports comparison chart

Reports run on-demand or on daily, weekly, or monthly schedules.

Step 5: Interpret CDR Records

Raw CDR exports require careful reading. Key interpretive rules:

dateTimeConnect = 0: Call was never answered
duration: Connected seconds only—not ring time
originalCalledPartyNumber ≠ finalCalledPartyNumber: Call was forwarded or routed through a hunt group
origCause_value / destCause_value: Q.850 termination codes—16 = Normal Clearing, 34 = No Circuit Available, 41 = Temporary Failure

Never analyze transfers or conference calls using a single CDR row. Correlate all rows sharing the same globalCallID to reconstruct the full call path.

Step 6: Act on Findings and Establish a Review Cycle

Findings that don't drive decisions are just data. Build a structured review cycle so analysis translates into action:

Weekly: Traffic reports to catch utilization trends early
Monthly: QoS trend analysis across gateways and call types
Quarterly: Audit gateway assignments and CDR Repository Manager disk thresholds to prevent data loss
Immediate: Threshold alerts for anomalous volumes or fraud indicators

Organizations that schedule CDR reviews proactively catch fraud, capacity problems, and call quality degradation weeks before they surface as user complaints.

CUCM CDR Analysis in Practice: A Security Investigation Walkthrough

A corporate security team receives a tip: a user may be sharing sensitive information with an external contact. Here's how a structured CDR investigation proceeds.

Phase 1 – Pull Call History

The investigator accesses CAR's CDR Search, queries by the suspect's extension across the relevant date range, and exports all associated call legs. Each row is reviewed for external destinations, call duration, and connect/disconnect patterns.

Phase 2 – Correlate and Reconstruct

Using globalCallID, the investigator links all legs of multi-segment calls. Differences between originalCalledPartyNumber and finalCalledPartyNumber reveal whether calls were forwarded to mask the true destination. origCause_value codes confirm which calls actually connected versus which were abandoned.

Phase 3 – Layer in CMR Data

CMR records add a dimension that CDRs alone can't provide. High-duration calls to external numbers with normal jitter and latency readings indicate genuine voice conversations. Calls with anomalous media characteristics may warrant separate scrutiny. This layered analysis distinguishes substantive conversations from accidental connections or voicemail drops.

Four-phase CUCM CDR security investigation workflow from call history to evidence packaging

Phase 4 – Package the Evidence

The evidentiary record typically includes:

A chronological communication timeline
Call duration summaries by destination
Annotated CDR exports with highlighted records
CMR data supporting characterization of call content

If this evidence is destined for HR proceedings, litigation, or law enforcement, the raw CDR flat files must be preserved with cryptographic hashing and a documented chain of custody, consistent with NIST IR 8387 guidance on digital evidence preservation.

Standard CAR exports and Excel-based reviews don't meet the preservation standard required for court-admissible evidence. Engaging certified forensic professionals before the data is touched keeps findings defensible — not retrofitting the process after the fact.

How Prudential Associates Can Help

When CUCM CDR analysis moves from routine IT reporting into corporate investigations or legal proceedings, the methodology shifts entirely. Prudential Associates has provided digital forensics, CDR analysis, and litigation support to corporate clients, government agencies, and the legal community for over five decades.

The team holds 30+ professional certifications applicable to CDR forensic work, including GCFA, EnCE, CFCE, CISSP, CFE, GNFA, MCFE, and ACE. CEO Jared Stern has testified as a forensic expert in state and federal proceedings on more than 500 occasions — experience that matters when opposing counsel challenges the integrity of call record evidence.

Prudential's CDR analysis services include:

Forensic extraction and preservation of CDR/CMR flat files with cryptographic hash verification and chain of custody documentation
Pattern analysis for insider threat investigations — identifying anomalous call behavior, external contact frequency, and after-hours activity
Expert reports prepared for litigation, regulatory proceedings, and HR investigations
Attorney consultation on interpreting CDR evidence, including testimony about call record fields, termination codes, and multi-leg call reconstruction

Attorneys and corporate security teams engage Prudential when CDR findings need to survive legal scrutiny — depositions, regulatory proceedings, and courtroom testimony included. Contact Prudential Associates to discuss your matter.

Frequently Asked Questions

What is CUCM CDR?

CUCM CDR stands for Cisco Unified Communications Manager Call Detail Record. It's a structured data entry generated after every processed call, capturing caller identity, destination, timestamps, duration, and termination cause—used for billing, security analysis, and compliance reporting.

How do I check CDR reports in CUCM?

Access the CAR tool directly at https://<CUCM-IP>:8443/car/ or through Cisco Unified Serviceability > Tools > CDR Analysis and Reporting. From there, administrators can run on-demand reports or search CDRs by extension, gateway, date range, or termination cause.

What is the difference between CDR and CMR in CUCM?

CDRs capture who called whom, when, and for how long—the billing and routing layer. CMRs (Call Management Records) capture voice quality metrics: jitter, latency, and packet loss. Both record types are needed for complete call analysis, especially when troubleshooting voice quality issues.

How long does CUCM retain CDR data?

The CAR database caps at 6 GB or 2 million CDR records and automatically purges the oldest records when either limit is exceeded. Retention duration is configurable, but organizations with long-term requirements should export and archive records regularly—on-system storage alone is not reliable for compliance.

Can CUCM CDR data be used as legal evidence?

CDR records can serve as digital evidence in legal proceedings, but admissibility depends on collection method and documentation. Forensically sound extraction with cryptographic hashing and a documented chain of custody is required—standard CAR report exports do not meet court standards.

What are the most important CDR fields for troubleshooting?

Start with these four fields:

dateTimeConnect — a zero value means the call was never answered
origCause_value / destCause_value — Q.850 termination codes identifying why calls ended
originalCalledPartyNumber vs. finalCalledPartyNumber — reveals call forwarding
CMR fields jitter, latency, numberPacketsLost — voice quality indicators