Hi There,
I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log. When I click on the Security Log I don't see Audit Success or Audit Failure as an event type. It just has Error, Warning and Information. If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change. Am I doing something wrong? How can I see Audit Failure as an Event Type?
Thanks,
Good day Community,
I am experiencing an urgent issue. The sys log server forwarder is forwarding the following message to the KIWI sys log server. The actual security logs are showing the correct information, however the message below is being showed. I thought it was the server, but wen I added another sever to forward security logs, I am getting the same message as shown below.
Can anyone who have encountered this message or know how to resolve this issue. The security logs are on the server and I can view them using event viewer properly and audit logs are reflecting fine.
I would really appreciate your humble assistance or comments.
Apr 08 14:36:34 CASSIOPEIA1.carimed.local MSWinEventLog 5 Security 495 Wed Apr 08 14:36:33 2015
4624 Microsoft-Windows-Security-Auditing N/A Audit Success CASSIOPEIA1.carimed.local 12544
The description for Event ID 4624 from source Microsoft-Windows-Security-Auditing cannot be
found. Either the component that raises this event is not installed on your local computer or
the installation is corrupted. You can install or repair the component on the local computer.If
the event originated on another computer, the display information had to be saved with the
event.The following information was included with the event: S-1-0-0. FormatMessage failed with
error 1815, The specified resource language ID cannot be found in the image file.
I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service. Here is the hardware platform:
HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1
I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:
Log Name: Application
Source: Application Error
Date: 3/15/2012 10:42:42 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
<EventRecordID>2945</EventRecordID>
<Channel>Application</Channel>
<Computer>************</Computer>
<Security />
</System>
<EventData>
<Data>Syslogd_Service.exe</Data>
<Data>9.2.0.1</Data>
<Data>4d069c0f</Data>
<Data>unknown</Data>
<Data>0.0.0.0</Data>
<Data>00000000</Data>
<Data>c0000005</Data>
<Data>0000000a</Data>
<Data>91d0</Data>
<Data>01cd02c944ab6d53</Data>
<Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
<Data>unknown</Data>
<Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
</EventData>
</Event>
---------------------------
The following was in the Syslogd Errorlog.txt:
2012-03-15 09:32:52 Command line license key accepted.
2012-03-15 10:42:41 *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41 Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------
I have opened SolarWinds case #323438 regarding this.
Has anyone else ever run into this issue?
I'm receiving the following error whenever I try to open the Kiwi Syslog Manager (Console).
Faulting application name: Syslogd_Manager.exe, version: 9.4.0.2, time stamp: 0x54fda0df
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x043c05b8
Faulting process id: 0x780
Faulting application start time: 0x01d0b3331378b7a3
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe
Faulting module path: unknown
Report Id: 51d9622d-1f26-11e5-80eb-0050569a06c7
Faulting package full name:
Faulting package-relative application ID:
This is on a fresh physical Windows 2012 server and is running as a local system service. The service runs, collects logging, and we have web access working. However, whenever I try to open the Kiwi Manager, it crashes. I do have a support ticket in place but as of now, it has been sent up to the developers. It's frustrating for the syslog catchall files because we can't filter what we want.
What's weird is that it run perfectly fine on Windows 2003 Storage Server.
Before install i did the following:
Disabled UAC
Disabled any HIPS / HBSS so that doesn't block the install.
Set a different TMP / TEMP directory with read/write privileges.
Tried a dedicated local admin-account to run the service and tried just local system.
Any help or information in this regards would be a HUGE help. I'm pretty stumped at the moment.
I have installed and configured Kiwi Syslog, i recently started noticing the service stops randomly. after looking through event logs im finding that the app keeps crashing and i get the below. any ideas?
Faulting application name: Syslogd_Service.exe, version: 9.4.0.2, time stamp: 0x54fda0c5
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x064edf14
Faulting process id: 0x%9
Faulting application start time: 0x%10
Faulting application path: %11
Faulting module path: %12
Report Id: %13
Faulting package full name: %14
Faulting package-relative application ID: %15
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: Syslogd_Service.exe
P2: 9.4.0.2
P3: 54fda0c5
P4: unknown
P5: 0.0.0.0
P6: 00000000
P7: c0000005
P8: 064edf14
P9:
P10:
Attached files:
C:\Windows\Temp\WER751C.tmp.WERInternalMetadata.xml
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\memory.hdmp
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\minidump.mdmp
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e
Analysis symbol:
Rechecking for solution: 0
Report Id: e3d4b04b-1f3b-11e5-80de-005056aa628b
Report Status: 4
Hashed bucket:
Hi all.
I have just installed Kiwi Syslog Server 9.5 on a test machine to evaluate its suitability for a project I'm working on. It's currently still running in 14-day Evaluation mode.
We can't seem to get it to receive SNMP traps at all. No matter what we do, netstat shows nothing listening on UDP port 162. SNMPv1 traps are being sent to the server, and we can see them in Wireshark arriving at the server, but Kiwi isn't listening for them.
In desparation, we tried enabling the Windows SNMP Trap service (although we understand this isn't required?) and this 'absorbed' the traps, but nothing appeared in Kiwi.
The test machine is running Windows 7 (32-bit) with the Windows Firewall switched off.
Should the 14-day Evaluation be able to receive SNMP traps?
Thanks in advance for any advice!
The Release Candidate for Kiwi Syslog Server 9.5 is now ready! The new Kiwi Syslog version is packed with great new features and improvements. RC is the last step before general availability, and it is a chance for existing customers to get the newest functionality before it is available to everyone else. You can download it from the LATEST DOWNLOADS FOR YOUR PRODUCTS section of the customer portal. Change filter to "Release Candidate" and click on download button next to Kiwi Syslog RC version.
This release contains various improvements such as
RC builds are made available to existing customers prior to the formal release. These are used to get customer feedback in production environments and are fully supported. If you have any questions I encourage you to leverage the KSS forum on thwack.
Now go and download new version now!
Currently Kiwi Syslog Server 9.x release supports syslog based on RFC 3164. Are there any plans to add support for RFC 5424 in a future release?
Thank you,
David
I am having trouble updating the hostname cache in SysLog Server after I update the hosts.txt file.
Here is a typical example:
You can see the hostname field has an old entry. The NetBIOS name in the message field shows the current NetBIOS name.
The current host name entry in the hosts.txt file:
SysLog Server is supposed to flush address entries every 24 hours but I do not see the static cache entries update. I have cleared all entries in the DNS cache then chosen the static entries text file again but it now doesn't show any static entries in the cache view. Is there another step I need to take?
We are looking into sending messages to Kiwi Syslog from a few login scripts. I have seen some references to a command line utility named klog.exe as well as some DLLs (and other VB libraries). However, I cannot find a way to download them or find them on the Kiwi Syslog server. Are these tools still available? If so, where? If not, why?
thank you.
On faster Windows 7 machines it has been reported that the Kiwi SyslogGen (Syslog Message Generator) test utility sometimes does not actually send messages to a locally installed Kiwi Syslog Server. If SyslogGen does not send messages to your syslog server through localhost, please try the following suggestions in your Kiwi Syslog Message Generator configuration.
You can download a free copy of Kiwi SyslogGen from the Kiwi Downloads page.
Please, i need to know if kiwi syslog server is able to show the log statistics for every device separately? on other hand, Can i know EPS "Event per second" for every device among a specific period??
Hello,
I just installed Syslog on a Windows 8 VM (ESXi 5.5).
However... I don't received any message from the router (Cisco RV042G) I want to log.
I tried the generic troubleshhoting :
• Check network connectivity by pinging from the sending device to the Syslog Server machine => OK
• Check only one instance of Kiwi Syslog Server is running (Ctrl-Shift-Esc to get the task-list) => OK, only one
• Disable any personal firewall software such as ZoneAlarm or BlackIce => Disabled
• Use a sniffer to check if messages from the routing are reaching the PC => Yes, I can see them
• Check DNS resolution is working as expected by pinging a hostname from the Command Prompt => OK
• Check that there is a "Display" action setup for the facility and level you are expecting to receive messages on. => OK
• Send a test message to yourself by pressing Ctrl+T => Displayed
• Download a copy of the Free Syslog Server Message Generator (SyslogGen) from: www.kiwisyslog.com/downloads => Done
• Install SyslogGen and set it to send a message every second to the address 127.0.0.1 (local host). => Not displayed, and I don't see them in a local packet capture.
• Try sending messages with SyslogGen from another machine to the host running the Syslog Server => Not displayed, but see them on a packet capture (on Syslog PC)
Do you have any idea about the cause of this issue ?
Thanks in advance for your help.
Dear All,
We are planning to setup a syslog server. i.e, move from Orion inbuilt syslog to kiwi syslog.
We are not utilizing orion inbuilt at this point to fullest. Just few devices are configured to send logs to this inbuilt syslog
We have around 5 devices per centers across 60 location (13 Countries)
1) 2 Routers
2) 1 Bandwidth Shaper
3) 2 Switch Stacks
4) 1 WLC with 10 APs minimum
Total=250 Devices.
I would like to what is the best approach.
1) How many syslog license i should be looking at?
2) What kind of server configuration is required ?
3) We need a log retention policy of 15 days. Should I consider to setup a DB to for log storage?
4) Can the Orion inbuilt syslog write messages to external DB storage
Brand new KIWI 9.1 eval user... succeeded in getting my SYSLOG fed to a SQL table, but need to parse the msgtext field. I'm not a script writer, but hope there is a way to do this without scripting??? I've attached an exerpt from what ends up in the SQL table. The delimiter for the MSGText field is Binary 09 which I believe is a tab? Also, a screen shot of how my rules are currently set up (and feeding but not parsing...)
The actual log entry would look like this with the underlined bold part being the msgtext to be parsed.......
2010-11-05 13:22:11 Local4.Info 10.0.1.11 Nov 5 13:22:11 iprism: WEB<009>http<009>1288988531<009>P<009>10.31.40.248<009>CKHS_Students<009>cksduser\vollmer3861m<009>287<009>http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif?labels=NewsAndReference<009>internet services<009>0<009>HTTPGET<009>200<009>image/gif
Any thoughts would be greatly appreciated!
Thanks all...
Using Kiwi Syslog (ver. 9.3) with log forwarder for windows (ver 1.1). Have one 2003 server that will not forward events of any type to the syslog server. All other servers in environment, both 2003 and 2008, will forward to syslog server. Have made exceptions in firewall rules, opened up port 514 and turned off firewall all together. Still no go. Test messages can be created, but not sent and actual events show up in security log (unsuccessful log in, event id 529) but are not forwarded. Any ideas on what to check next or is this just an unhappy old server that will not cooperate?
Hi
i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog 6 Application 127 lun giu 08 17.03.41 2015 1003 Microsoft-Windows-Security-SPP N/A Information srv-av.astergenova.it 0 The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."
do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed
Has anyone else ever run into this issue?
I'm receiving the following error whenever I try to open the Kiwi Syslog Manager (Console).
Faulting application name: Syslogd_Manager.exe, version: 9.4.0.2, time stamp: 0x54fda0df
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x043c05b8
Faulting process id: 0x780
Faulting application start time: 0x01d0b3331378b7a3
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe
Faulting module path: unknown
Report Id: 51d9622d-1f26-11e5-80eb-0050569a06c7
Faulting package full name:
Faulting package-relative application ID:
This is on a fresh physical Windows 2012 server and is running as a local system service. The service runs, collects logging, and we have web access working. However, whenever I try to open the Kiwi Manager, it crashes. I do have a support ticket in place but as of now, it has been sent up to the developers. It's frustrating for the syslog catchall files because we can't filter what we want.
What's weird is that it run perfectly fine on Windows 2003 Storage Server.
Before install i did the following:
Disabled UAC
Disabled any HIPS / HBSS so that doesn't block the install.
Set a different TMP / TEMP directory with read/write privileges.
Tried a dedicated local admin-account to run the service and tried just local system.
Any help or information in this regards would be a HUGE help. I'm pretty stumped at the moment.
SolarWinds's own Justin Finley just recorded a video tutorial that shows how to resolve IP addresses into hostnames in Kiwi Syslog Server.
External link to Jing: DNS Resolution - justinfinley's library
Video Guide:
Remember to "LIKE" this if you find it useful - that helps others find it too!
Hi
today i installed the log forwarder on a windows server 2012 machine but i am facing the following error:
after the installation, it seems that the log forwarder agent doesn't want to start (also the console seems to be unresponsive)
and if i try to start manually the log forwarder agent service, i receive a message box that informs me that :''the solarwinds event forwarder for windows service, started and than stopped. some services stops automatically if they are not used by any program or service''
did you ever faced something like this?
how do i have to procede?
thanks a lot
