We are looking into sending messages to Kiwi Syslog from a few login scripts. I have seen some references to a command line utility named klog.exe as well as some DLLs (and other VB libraries). However, I cannot find a way to download them or find them on the Kiwi Syslog server. Are these tools still available? If so, where? If not, why?
thank you.
I'm getting a syslog from Cisco ACS and it reads like this on Kiwi:
Dec 1 18:44:56 10.16.162.129- sv-chof-acs01.na.bluecap123.net CisACS_01_PassedAuth 1as18p83x 1 0 User-Name=pete,Access Device=SW-CHCL-EXC2
I would like to edit this message to omit some of the garbage I don't care about and display something like this:
PassedAuth - User-Name=pete,Access Device=SW-CHCL-EXC2
Does anyone know of a way to modify incoming syslog messages?
Any help would be appreciated.
Pete
Hi guys,
I recently installed Kiwi Syslog on a Windows Server 2008 machine, however I had to uninstalled the program as the customer wants to be on the D:\ . But now I am not able to install the program on D:\ or even back
on C:\ as I get the error message "an unlicensed version is detected" hence the installation cannot proceed any longer.
Can anyone help? Where can I delete the old files so i am able to install the software again? I need to install this quite urgently, I have the license with me but I did not activate the license in my previous installation since it was not installed on the right drive.
Please help.
Thanks.
I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.
I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.
I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.
I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.
Any ideas?
I am new to kiwi syslog server. Configured kiwi syslog server with default fields to log messages to MYSQL DB and working fine.
But I wish to parse the message and log to MYSQL DB using custom fields. I dont have any knowledge about scripting.
Sample log is shown below. Each field is separated by a single space character. The message content is highlighted in red.
2012-09-01 10:37:14 Local6.Warning HQ-IPS-01 DefensePro: 01-04-2012 19:49:25 WARNING 300000 Intrusions "BO-WINXP" TCP ACCTS-C-PC1 1607 ACCTS-C-PC2 80 3 Regular "DMZ-Policy" occur 1 0 N/A 0 N/A low drop FFFFFFFF-FFFF-FFFF-0001-00004F7B1BE5
Only the following things needs to be extracted and logged to DB.
MsgDate: 2012-09-01
MsgTime: 10:37:14
MsgHostname: HQ-IPS-01
AttackId: 300000
AttackType: Intrusions
AttackDesc: BO-WINXP
AttackSrc: ACCTS-C-PC1
AttackDst: ACCTS-C-PC2
The number of such logs that needs parsing by the script will be more.
Request provide me guidance in configuring this.
Any help on this would be greatly appreciated!
Thanks all...
During installation of Syslog Web Access, you are prompted for a userid and password. The password can be changed at any time easily.
But how does one change the userid? Where is it stored?
We even went as far as trying to reinstall syslog web access to get to the initial userid prompt again. But having already asked us once, it did not ask us again.
Thanks,
-Ken
Hello,
I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.
Should the following work:
Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error
This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?
Should this work or is there a "Supported" switch configuration that I should be using.
Thank you,
Chris
HI all,
My first post, i wish to share you some tips i found.
My main goal was to have access to the kiwi web site working with SSL...
But looking at Cassinni Web Server, it wasn't possible.
After searching more on this forum I found a post about a Rewriting Module with Apache ; so why dont we do it with IIS ?
Here we go !
- Win 2008 R2 , IIS 7 (with auth modules etc ...) , at least a working SSL certificate for the HTTPS listener (this post will not cover how PKI works, certs installation etc .... sorry).
- We will use the ARR 2.0 module x64 for IIS... See References at bottom for DL link, install it.
- A running Kiwi Syslog Server and the Web Access working on port 8088. Access via a browser works on this port.
- Enable the rewrite/proxy module in IIS
- Create a new IIS Web Site with HTTPS Listener on TCP Port 8090
- Create a rule to rewrite requests from 8090 to 8088
- When connecting on https://server:8090 , we would see Kiwi Web page.
"C:\Windows\System32\inetsrv\appcmd.exe" set config -section:system.webServer/proxy /enabled:"True" /commit:apphost
set syslogwebdir=c:\inetpub\syslog
set syslogsitename=SYSLOG
"C:\Windows\System32\inetsrv\appcmd.exe" add site /name:"%syslogsitename%" /id:15 /bindings:https/*:8090: /physicalPath:"%syslogwebdir%"
3.1 With batch/cmd line(copy/past to a BAT file)
set CERTHASH=EnterYourHashHere
netsh http add sslcert ipport=0.0.0.0:8090 certhash=%CERTHASH% appid={00000000-0000-0000-0000-000000000000}
3.2 With IIS Manager (if you don't know where to read Hash Certificate).
-Right Click on SYSLOG site, modify Bindings.
-Select https 8090 * Listener > Modify.
-On the "box" SSL Certificate, choose your certificate for the server.
-"OK"
set syslogsitename=SYSLOG
set syslogrulename="Rewrite to Kiwi localhost 8088"
:: Rewrite Rule creation
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /+[name='%syslogrulename%']
:: Rule Parameters (one line)
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /[name='%syslogrulename%'].action.type:"Rewrite" /[name='%syslogrulename%'].match.url:"(.*)" /[name='%syslogrulename%'].action.url:"http://localhost:8088/{R:1}"
Test with your browser https://localhost:8090/
Now you can access from an "admin desktop" to this new SSL web site ...
Configure your firewalls to forbid access on port 8088 to this server (or/and configure the internal Windows Firewall of this server to allow only Localhost connection on 8088).
Image may be NSFW.
Clik here to view.
6. Refs Used
http://learn.iis.net/page.aspx/489/using-the-application-request-routing-module/
---
At the beginning i was thinking to use http://mysite/syslog/ as a virtual directory, but I got some troubles with events.aspx and the rewrite module.
Inbound Rules was OK ; But Outbound Rules to rewrite URLS were not working as expected ; and filters in Kiwi were not working anymore.
That's why i decided to create a new site on another binding, with a root site ; so don't need to create Outbound Rules ...
---
Sorry for my English ... i'm french :)
Hi there,
If I were to install KiwiSyslog Server on an offline server without access to the Internet, How do I download the prerequisites? Where can I find them? Anyone has the exact location it would be great. I am installing it on a Windows Server 2008 64 Bit R2 Server.
Microsoft .NET Framework and C++ 2008 Redistributable package are easy to come by, but for the others, it's a little difficult to get it exactly.
Thanks.
What it does:
Log Forwarder for Windows allows you to forward Windows events as Syslog to your Kiwi Syslog Server
How to get it:
If you download the Kiwi Syslog Server 9.0 from your customer portal, you will see there is an additional Log Forwarder executable included with your download. The Log Forwarder for Windows was developed by the Kiwi Syslog team. It is available at no cost to Kiwi Syslog customers current on maintenance.
Try it out and let us know what you think!
I am trying to quiet down my kiwi syslog server a bit. I have reporting working well for several functions.
I have it alerting on any service "entered the stopped state" but this is making my server noisy.
I want to exclude "The Application Experience service" from sending an alert, but can't seem to get the text to parse properly to do this.
I have made my rule like so, but it's not working properly.
Image may be NSFW.
Clik here to view.
Am I doing this right, or should I be doing this another way?
Does anyone else notify on services stopping?
Thanks.og_setup
All
I have setup my KIWI syslog server to listen for SNMP traps, successfully. Is there a way to setp KIWI, or an available action to forward the SNMP traps to other SNMP trap receivers as KIWI receives them.
Thanks
KIWI New Guy
I am needing to forward all of our DHCP audits to the syslog, however I cannot figure out how to do that with the Log Forwarder. Which source do I use in the Event Viewer? The audit is logged to a file. Is there any way to forward changes to files?
Hi people !
I am testing Kiwi Syslog Server Service edition with Evaluation Version....
I am running Kiwi on a 2008r2 SP1 (R2 is x64).
I am trying to run the Kiwi daemon with the system local account ; but i have the error 1053 poping:
" The service did not respond to the start or control request in a timely fashion "
I tried to adjust the timeout Value in the Registry to 60 (30 by default) ; no way the kiwi syslog Service don't start.
I created the debugging value to see what happening on startup, but i have only :
2011-11-21 18:50:19 Start-up file Initialized.
2011-11-21 18:50:19 Performing NT Service setup for Kiwi Syslog Server
2011-11-21 18:50:19 Service Starting - NTServiceSetup
--
When i am using the administrator account of the server ; the service starts quickly ...here is the debug log :
2011-11-21 19:03:44 Start-up file Initialized.
2011-11-21 19:03:44 Performing NT Service setup for Kiwi Syslog Server
2011-11-21 19:03:44 Service Starting - NTServiceSetup
2011-11-21 19:03:44 Service startup triggered. Parameters:
2011-11-21 19:03:45 Startup entered
2011-11-21 19:03:45 About to initialise sockets
2011-11-21 19:03:45 Listening on InterApp TCP port 3300
2011-11-21 19:03:45 Listening on UDP port 514
2011-11-21 19:03:46 Message check timer started
2011-11-21 19:03:46 Startup completed
But for security reason i can't use an admin Account, i need to use the local system account.
--
I ran procmon to see what's wrong ; no errors about File/Registry denied access.
When using Local system account, the process stops here :
Image may be NSFW.
Clik here to view.
--
When using an Admin account , the process starts, and "hits" an .INI file (KRDP_Sessions.ini) :
Image may be NSFW.
Clik here to view.
--
Can you have any information on this ?
Regards,
I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service. Here is the hardware platform:
HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1
I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:
Log Name: Application
Source: Application Error
Date: 3/15/2012 10:42:42 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
<EventRecordID>2945</EventRecordID>
<Channel>Application</Channel>
<Computer>************</Computer>
<Security />
</System>
<EventData>
<Data>Syslogd_Service.exe</Data>
<Data>9.2.0.1</Data>
<Data>4d069c0f</Data>
<Data>unknown</Data>
<Data>0.0.0.0</Data>
<Data>00000000</Data>
<Data>c0000005</Data>
<Data>0000000a</Data>
<Data>91d0</Data>
<Data>01cd02c944ab6d53</Data>
<Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
<Data>unknown</Data>
<Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
</EventData>
</Event>
---------------------------
The following was in the Syslogd Errorlog.txt:
2012-03-15 09:32:52 Command line license key accepted.
2012-03-15 10:42:41 *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41 Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------
I have opened SolarWinds case #323438 regarding this.
If I setup Kiwi Syslog to forward to another system such a Voyence. Will Kiwi keep the source IP of the deivce that sent the syslog?
I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.
I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.
I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.
I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.
Any ideas?
I cannot find instructions anywhere for the recommended method of upgrading. Do I just run the setup? What about the log forwarder? The upgrade docs must be here somewhere and I just apparently am a failure when it comes to finding them.
Thanks.
Debbi
I saw a posting back in May 2009 that was answered saying this isn't possible yet but was expected to be included in the next release.
Is there now a way to exclude events from being forwarded based on keywords in the message text? I'd like to reduce the "noise" level by not logging extremely routine events such as logins by my monitoring service account. Excluding by event id won't work for me as I only want to exclude certain logins.
TIA
Bill
With the massive amount of noise generated in Windows event logs it makes a lot of sense to limit the events sent by logforwarder to a central syslog server instead of sending everything and having it do all the filtering. Ideally regex for the filtering but even simple DOS-style wildcards would be useful, especially if a delimited list was allowed for 'OR' support. Filtering should support both include & exclude rules.
Thanx,
Bill
